CVE-2025-42919
MEDIUMSAP NetWeaver Application Server Java - Info Disclosure
Title source: llmDescription
Due to an Information Disclosure vulnerability in SAP NetWeaver Application Server Java, internal metadata files could be accessed via manipulated URLs. An unauthenticated attacker could exploit this vulnerability by inserting arbitrary path components in the request, allowing unauthorized access to sensitive application metadata. This results in a partial compromise of the confidentiality of the information without affecting the integrity or availability of the application server.
References (2)
Core 2
Core References
Vendor Advisory
https://me.sap.com/notes/3643603
Vendor Advisory
https://url.sap/sapsecuritypatchday
Scores
CVSS v3
5.3
EPSS
0.0029
EPSS Percentile
52.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-22
Status
published
Products (2)
SAP_SE/SAP NetWeaver Application Server Java
ENGINEAPI 7.50
SAP_SE/SAP NetWeaver Application Server Java
EP-BASIS 7.50
Published
Nov 11, 2025
Tracked Since
Feb 18, 2026