CVE-2025-6504 is a high-severity vulnerability affecting Progress Software's Hybrid Data Pipeline (HDP) Server versions below 4.6.2.2978 running on Linux. The vulnerability arises from improper validation of the X-Forwarded-For (XFF) HTTP header, which is client-controlled and can be spoofed by an attacker. HDP Server uses IP-based whitelisting to restrict access to sensitive resources. However, because the server trusts the XFF header to determine the client's IP address, an attacker can craft requests with a spoofed XFF header containing an IP address from a whitelisted range. This allows the attacker to bypass IP-based access controls. Despite this bypass, the attacker must still provide valid user credentials to access resources, meaning the vulnerability facilitates unauthorized access by circumventing network-level restrictions rather than authentication controls. The vulnerability impacts confidentiality, integrity, and availability, as it allows attackers to access sensitive data and potentially manipulate or disrupt services. The CVSS 3.1 score is 8.4 (high), reflecting network attack vector, low attack complexity, requirement for high privileges (valid credentials), user interaction required, and scope change, with high impact on confidentiality, integrity, and availability. No known exploits are reported in the wild yet. The vulnerability is specific to Linux deployments of HDP Server below version 4.6.2.2978, and the vendor has not yet published patches or mitigation guidance at the time of this report.

For European organizations using Progress Software Hybrid Data Pipeline on Linux, this vulnerability poses a significant risk. Many enterprises rely on HDP for data integration and pipeline management, often handling sensitive or regulated data. The ability to bypass IP-based access controls via XFF spoofing undermines network perimeter defenses, potentially exposing sensitive resources to unauthorized internal or external actors who have valid credentials but would otherwise be blocked by IP restrictions. This could lead to data breaches, unauthorized data manipulation, or service disruption. Given the high confidentiality, integrity, and availability impacts, organizations in sectors such as finance, healthcare, critical infrastructure, and government are particularly at risk. The requirement for valid credentials somewhat limits exploitation to insiders or compromised accounts, but the IP bypass expands the attack surface significantly. Additionally, the vulnerability could be leveraged in multi-stage attacks where attackers first obtain credentials and then exploit this flaw to evade network controls. The lack of patches increases exposure until remediation is applied.

European organizations should take immediate steps beyond generic advice: 1) Implement strict validation and sanitization of the X-Forwarded-For header at the application or network edge to prevent spoofing. This can include configuring web/application firewalls or reverse proxies to ignore or overwrite client-supplied XFF headers unless they originate from trusted proxies. 2) Restrict access to HDP Server management interfaces and APIs to trusted networks and enforce multi-factor authentication to reduce the risk from compromised credentials. 3) Monitor logs for anomalous XFF header values and access patterns inconsistent with expected IP ranges. 4) Deploy network segmentation to isolate HDP Servers and limit lateral movement if unauthorized access occurs. 5) Engage with Progress Software for timely patching once available and test updates in controlled environments before deployment. 6) Review and tighten IP whitelisting policies, considering alternative or additional access control mechanisms such as client certificates or token-based authentication. 7) Conduct regular security audits and penetration tests focusing on header manipulation and access control bypass scenarios.