CVE-2025-42919

Vulnerability

Overview

CVE-2025-42919 is an information disclosure vulnerability in SAP NetWeaver Application Server Java. The root cause lies in insufficient validation of URL path components, allowing an attacker to insert arbitrary path segments into a request. This enables unauthorized access to internal metadata files that should not be exposed to unauthenticated users [1].

Exploitation

The vulnerability can be exploited remotely by an unauthenticated attacker who crafts a manipulated URL containing path traversal or arbitrary path components. No authentication or special privileges are required, and the attack can be carried out over the network without any user interaction. The attack surface is the HTTP interface of the SAP NetWeaver Application Server Java [1].

Impact

Successful exploitation results in partial compromise of confidentiality, as the attacker can read sensitive application metadata. The vulnerability does not affect the integrity or availability of the server. The disclosed metadata could aid in further attacks by revealing internal application structure or configuration details [1].

Mitigation

SAP has released security patches as part of its regular Security Patch Day. Customers are advised to apply the relevant SAP Security Notes to remediate the vulnerability. No workarounds are mentioned, and the vendor recommends implementing the corrections as a priority [1].