CVE-2025-25182

Trust Issues: Stroom Auth Bypass & SSRF via AWS ALB Spoofing

Alon Barad
Alon Barad
Software Engineer

Jan 2, 2026·6 min read·4 visits

Executive Summary (TL;DR)

Stroom trusted the 'signer' field in AWS ALB headers without verification. Attackers can bring their own ALB signatures to log in as anyone, or inject malicious regions into the signer ARN to trigger SSRF against the AWS Metadata Service (IMDS).

A critical authentication bypass and SSRF vulnerability in GCHQ's Stroom data platform allows attackers to spoof AWS Application Load Balancer identities or reach internal AWS metadata services.

Official Patches

GCHQPull Request #4320 fixing the vulnerability

Fix Analysis (1)

Technical Appendix

CVSS Score
9.4/ 10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
EPSS Probability
0.33%
Top 45% most exploited

Affected Systems

Stroom Data Platform (GCHQ)

Affected Versions Detail

Product
Affected Versions
Fixed Version
Stroom
GCHQ
>= 7.2-beta.53, < 7.2.247.2.24
Stroom
GCHQ
7.3-beta.1 - < 7.3-beta.227.3-beta.22
Stroom
GCHQ
7.4-beta.1 - < 7.4.47.4.4
Stroom
GCHQ
7.5-beta.17.5-beta.2
AttributeDetail
CWECWE-290 (Auth Bypass by Spoofing)
CVSS9.4 (Critical)
Attack VectorNetwork
Exploit StatusPoC Available
ImpactAuthentication Bypass / SSRF
KEV StatusNot Listed

MITRE ATT&CK Mapping

T1190Exploit Public-Facing Application
Initial Access
T1553Subvert Trust Controls
Defense Evasion
T1078Valid Accounts
Persistence
CWE-290
Authentication Bypass by Spoofing

Authentication Bypass by Spoofing

Known Exploits & Detection

Miggo SecurityOriginal research and discovery details
NucleiDetection Template Available

Vulnerability Timeline

Fix Committed to GitHub
2024-06-05
Public Disclosure & CVE Published
2025-02-12

Subscribe to updates

Get the latest CVE analysis reports delivered to your inbox.