CVE-2025-50900 is a critical security vulnerability identified in the getrebuild/rebuild software version 4.0.4, specifically within the class com.rebuild.web.RebuildWebInterceptor and its preHandle function. The vulnerability arises from improper handling of URL-decoded request paths. The interceptor uses CodecUtils.urlDecode(request.getRequestURI()) to decode the incoming request URI and then checks if the decoded path ends with '/error'. If it does, the interceptor returns true, effectively bypassing further security checks and allowing the request to proceed without authentication. For all other paths, the interceptor redirects unauthenticated requests to the /user/login API. This logic flaw enables unauthenticated attackers to bypass authentication controls by crafting requests that end with '/error', thereby gaining unauthorized access to sensitive information or escalating privileges within the application. The vulnerability is classified under CWE-284 (Improper Access Control), indicating a failure to enforce proper authorization checks. The CVSS v3.1 base score is 9.8, reflecting a critical severity level due to its network attack vector, no required privileges or user interaction, and high impact on confidentiality, integrity, and availability. Although no known exploits are currently reported in the wild, the ease of exploitation and the critical impact make this a significant threat that demands immediate attention.

For European organizations using getrebuild/rebuild 4.0.4, this vulnerability poses a severe risk. Attackers can exploit the flaw remotely without authentication or user interaction, potentially accessing sensitive data, modifying system configurations, or disrupting services. This can lead to data breaches involving personal data protected under GDPR, resulting in regulatory penalties and reputational damage. Critical infrastructure and enterprises relying on this software for web services could face operational disruptions or unauthorized privilege escalations, undermining trust and business continuity. The broad impact on confidentiality, integrity, and availability means that exploitation could facilitate further attacks, including lateral movement within networks or deployment of malware. Given the critical nature of the vulnerability, European organizations must prioritize patching or mitigating this issue to prevent exploitation and comply with data protection regulations.

1. Immediate patching: Organizations should monitor for official patches or updates from the getrebuild/rebuild maintainers and apply them as soon as they become available. 2. Temporary access control: Until a patch is available, implement web application firewall (WAF) rules to block or closely monitor requests with URIs ending in '/error' or suspicious URL-encoded patterns that could exploit this logic flaw. 3. Code review and hardening: Review the interceptor logic to avoid bypassing authentication based solely on URL path suffixes. Implement robust authentication and authorization checks that do not rely on URL patterns. 4. Input validation: Sanitize and validate all incoming request URIs to prevent manipulation of the URL decoding process. 5. Logging and monitoring: Enhance logging of all requests, especially those bypassing authentication, and set up alerts for unusual access patterns. 6. Network segmentation: Limit exposure of vulnerable services to trusted networks or VPNs to reduce attack surface. 7. Incident response readiness: Prepare to detect and respond to potential exploitation attempts, including forensic analysis and containment procedures.