CVE-2025-36364 is a vulnerability identified in IBM DevOps Plan versions 3.0.0 through 3.0.5, where the web application improperly stores sensitive information in the web browser cache. This vulnerability is categorized under CWE-525, which concerns the use of web browser caches containing sensitive data. The root cause is that the application allows sensitive data to be cached locally by the browser without adequate controls or cache directives to prevent this behavior. Consequently, any other user with access to the same system and user profile can read this cached data, potentially exposing confidential information such as authentication tokens, project details, or other sensitive DevOps-related data. The CVSS 3.1 base score of 6.2 reflects a medium severity, with the vector indicating local attack vector (AV:L), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), high confidentiality impact (C:H), and no impact on integrity or availability (I:N/A:N). Exploitation requires local access to the system but no elevated privileges or user interaction, making it a concern in multi-user environments or shared workstations. No public exploits have been reported yet, but the vulnerability could be leveraged by malicious insiders or attackers with local access to extract sensitive cached data. The vulnerability highlights the importance of secure cache control headers and proper handling of sensitive data in web applications, especially in enterprise DevOps tools that manage critical development and deployment pipelines.

The primary impact of CVE-2025-36364 is the potential unauthorized disclosure of sensitive information stored in the browser cache of IBM DevOps Plan users. This can lead to confidentiality breaches involving project data, credentials, or tokens that could be used for further attacks or espionage. Since the vulnerability requires local access, the risk is elevated in environments where multiple users share systems or where endpoint security is weak. Attackers or unauthorized users with access to the same machine can retrieve cached data without needing elevated privileges or user interaction. This exposure could facilitate lateral movement within an organization or compromise of development pipelines. There is no direct impact on data integrity or system availability, but the confidentiality breach alone can have serious consequences, including intellectual property theft, compliance violations, and reputational damage. Organizations relying on IBM DevOps Plan for critical software development and deployment processes may face increased risk if this vulnerability is not addressed promptly.

To mitigate CVE-2025-36364, organizations should implement the following specific measures: 1) Restrict local system access by enforcing strict user account controls and limiting shared workstation usage to trusted personnel only. 2) Configure browsers used with IBM DevOps Plan to clear cache on exit or disable caching for the application domain via browser settings or extensions. 3) Employ endpoint security solutions that monitor and restrict unauthorized access to browser cache directories. 4) Educate users about the risks of leaving sensitive sessions open on shared machines and encourage logging out after use. 5) IBM should release patches or updates that implement proper cache-control HTTP headers (e.g., Cache-Control: no-store, no-cache) to prevent sensitive data from being cached. 6) Until patches are available, consider isolating IBM DevOps Plan usage to dedicated, secure machines with minimal user sharing. 7) Regularly audit and monitor local systems for signs of unauthorized access or data exfiltration attempts. 8) Review and harden application configurations to minimize sensitive data exposure in client-side storage. These targeted actions go beyond generic advice by focusing on local access controls, browser cache management, and operational security tailored to the nature of this vulnerability.