CVE-2025-62647 is an authorization vulnerability classified under CWE-863 found in the Restaurant Brands International assistant platform. The flaw lies in the platform's mechanism for issuing JSON Web Tokens (JWTs) that are used to call an API endpoint returning signed AWS upload URLs. These URLs grant the ability to upload or modify content within store-specific paths in AWS storage. Due to incorrect authorization checks, an authenticated user with some privileges can request JWTs that allow access to any store's upload path, not just those they are authorized for. This breaks the principle of least privilege and can lead to unauthorized integrity modifications of store data or assets. The vulnerability has a CVSS 3.1 base score of 5.0, indicating medium severity, with attack vector being network-based, low attack complexity, requiring privileges but no user interaction, and impacting integrity without affecting confidentiality or availability. No public exploits are known at this time, but the vulnerability presents a risk of unauthorized content manipulation within the RBI ecosystem. The affected product version is listed as '0', suggesting either an early or internal version, and no patches are currently linked. The issue was published on October 17, 2025.

For European organizations, particularly those operating RBI franchises or integrating with the RBI assistant platform, this vulnerability could enable unauthorized modification of store-specific data or content hosted on AWS. This may lead to data integrity issues, such as tampering with promotional materials, menu information, or operational data, potentially causing reputational damage or operational disruptions. While confidentiality and availability are not directly impacted, integrity violations can undermine trust in digital assets and may facilitate further attacks if malicious content is uploaded. Given the network-based attack vector and low complexity, attackers with some level of access could exploit this vulnerability remotely. The impact is heightened in Europe due to the presence of RBI brands and the regulatory environment emphasizing data integrity and security. Failure to address this vulnerability could also lead to compliance risks under regulations like GDPR if manipulated data affects customer information or service delivery.

To mitigate CVE-2025-62647, RBI should implement strict authorization checks ensuring JWTs are only issued for store paths the requesting user is explicitly authorized to access. This includes validating user privileges against the requested store identifier before token issuance. The API generating signed AWS upload URLs must enforce access control policies that verify the JWT's scope and permissions correspond to the target resource path. Employing fine-grained role-based access control (RBAC) and continuous monitoring of API usage patterns can help detect and prevent abuse. Additionally, implementing logging and alerting on anomalous upload URL requests or uploads can provide early warning of exploitation attempts. Organizations using the assistant platform should apply any forthcoming patches promptly and conduct security reviews of their integration points. Network segmentation and limiting access to the assistant platform APIs to trusted internal systems can reduce exposure. Finally, regular security training for developers and administrators on secure token handling and authorization best practices is recommended.