CVE-2023-37401: IBM Aspera Faspex cross-origin resource sharing
Published Oct 8, 2025
·Updated
IBM Aspera Faspex 5.0.0 through 5.0.13.1 uses a cross-domain policy file that includes domains that should not be trusted.
Other sources
IBM Aspera uses a cross-domain policy file that includes domains that should not be trusted.
— IBM
Affected Software
5 affected components
IBM Aspera Faspex>=5.0.0<=5.0.13.1
IBM Aspera Faspex 5<=5.0.0 - 5.0.13.1
All of the following
IBM Aspera Faspex>=5.0.0<5.0.14
Any of the following
Linux Linux kernel
Microsoft Windows
Remediation
Information
IBM strongly recommends addressing the vulnerabilities now by upgrading to Faspex 5.0.14 available from the link below.
ProductFixing VRMPlatformLink to FixIBM Aspera Faspex5.0.14
Linux click here https://www.ibm.com/support/fixcentral/swg/downloadFixes
Event History
Oct 8, 2025
CVE Published
via IBM·12:00 AM
Data Sourced
via IBM·12:00 AM
DescriptionAffected Software
Oct 9, 2025
CVE Published
via MITRE·01:54 PM
Data Sourced
via MITRE·01:54 PM
RemedyDescriptionSeverityWeakness
Data Sourced
via NVD·02:15 PM
DescriptionSeverityWeaknessAffected Software
Frequently Asked Questions
1
What is the severity of CVE-2023-37401?
CVE-2023-37401 is considered a medium severity vulnerability due to its potential for cross-domain security risks.
2
How do I fix CVE-2023-37401?
To fix CVE-2023-37401, update IBM Aspera Faspex to version 5.0.14 or later which removes the inclusion of untrusted domains.
3
Which versions are impacted by CVE-2023-37401?
CVE-2023-37401 affects IBM Aspera Faspex versions from 5.0.0 to 5.0.13.1.
4
What types of attacks are possible with CVE-2023-37401?
CVE-2023-37401 allows for potential cross-domain scripting attacks, exposing sensitive information.
5
Who is affected by CVE-2023-37401?
Organizations using IBM Aspera Faspex versions 5.0.0 through 5.0.13.1 are at risk due to CVE-2023-37401.