{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-55271", "assignerOrgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc", "state": "PUBLISHED", "assignerShortName": "HCL", "dateReserved": "2025-08-12T07:00:17.741Z", "datePublished": "2026-03-26T12:59:30.264Z", "dateUpdated": "2026-03-26T15:01:42.798Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc", "shortName": "HCL", "dateUpdated": "2026-03-26T12:59:30.264Z"}, "title": "HCL Aftermarket DPC is affected by HTTP Response Splitting vulnerability", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-113", "description": "CWE-113: Improper Control of HTTP Messages and Headers", "type": "CWE"}]}], "affected": [{"vendor": "HCL", "product": "Aftermarket DPC", "versions": [{"status": "affected", "version": "version 1.0.0"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "HCL Aftermarket DPC is affected by HTTP Response Splitting vulnerability where in depending on how the web application handles the split response, an attacker may be able to execute arbitrary commands or inject harmful content into the response..", "supportingMedia": [{"type": "text/html", "base64": false, "value": "HCL Aftermarket DPC is affected by HTTP Response Splitting vulnerability where in depending on how the web application handles the split response, an attacker may be able to execute arbitrary commands or inject harmful content into the response.."}]}], "references": [{"url": "https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0129793"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseSeverity": "LOW", "baseScore": 3.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T13:41:59.276926Z", "id": "CVE-2025-55271", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T15:01:42.798Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-55271", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T13:41:59.276926Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T13:42:04.639Z"}}], "cna": {"title": "HCL Aftermarket DPC is affected by HTTP Response Splitting vulnerability", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.1, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "HCL", "product": "Aftermarket DPC", "versions": [{"status": "affected", "version": "version 1.0.0"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0129793"}], "x_generator": {"engine": "Vulnogram 1.0.0"}, "descriptions": [{"lang": "en", "value": "HCL Aftermarket DPC is affected by HTTP Response Splitting vulnerability where in depending on how the web application handles the split response, an attacker may be able to execute arbitrary commands or inject harmful content into the response..", "supportingMedia": [{"type": "text/html", "value": "HCL Aftermarket DPC is affected by HTTP Response Splitting vulnerability where in depending on how the web application handles the split response, an attacker may be able to execute arbitrary commands or inject harmful content into the response..", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-113", "description": "CWE-113: Improper Control of HTTP Messages and Headers"}]}], "providerMetadata": {"orgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc", "shortName": "HCL", "dateUpdated": "2026-03-26T12:59:30.264Z"}}}, "cveMetadata": {"cveId": "CVE-2025-55271", "state": "PUBLISHED", "dateUpdated": "2026-03-26T15:01:42.798Z", "dateReserved": "2025-08-12T07:00:17.741Z", "assignerOrgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc", "datePublished": "2026-03-26T12:59:30.264Z", "assignerShortName": "HCL"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:hcltech:aftermarket_cloud:1.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "C71E5E64-ED4C-4763-8A74-5F9DDCFD13DA", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "HCL Aftermarket DPC is affected by HTTP Response Splitting vulnerability where in depending on how the web application handles the split response, an attacker may be able to execute arbitrary commands or inject harmful content into the response.."}], "id": "CVE-2025-55271", "lastModified": "2026-03-26T20:31:41.110", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.1, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 1.4, "source": "psirt@hcl.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-26T13:16:26.567", "references": [{"source": "psirt@hcl.com", "tags": ["Vendor Advisory"], "url": "https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0129793"}], "sourceIdentifier": "psirt@hcl.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-113"}], "source": "psirt@hcl.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.0.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Aftermarket DPC", "source": "cna", "vendor": "HCL"}, "product": "aftermarket_dpc", "vendor": "hcl"}], "analysis": {"en": {"generated_at": "2026-03-26T21:28:48.755674+00:00", "value": {"mitigation_remediation": ["Apply the vendor\u2011issued patch or upgrade to a version of HCL Aftermarket DPC that addresses HTTP Response Splitting", "Verify the patch by checking the application\u2019s version information", "If an immediate patch is not possible, restrict inbound traffic to the application to trusted IP ranges only", "Monitor logs for abnormal response headers or evidence of response splitting attempts", "Review the vendor support page (https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0129793) for additional guidance"], "summary": {"action": "Apply Patch", "impact": "Command injection and potential arbitrary code execution via HTTP Response Splitting"}, "threat_synthesis": {"affected_systems": "The affected product is HCL Aftermarket DPC (HCL Aftermarket Cloud) version\u202f1.0.0. The single identified version in the CPE list confirms that the 1.0.0 release is vulnerable.", "description_and_impact": "The vulnerability is a classic HTTP Response Splitting flaw (CWE\u2011113). A crafted request could cause the application to split the response header and body, enabling an attacker to inject arbitrary content or execute commands on the server. The impact ranges from data exfiltration through injected payloads to hostile command execution if the application processes the split response incorrectly.", "risk_and_exploitability": "The CVSS score of 3.1 indicates low overall severity, and the vulnerability is not listed in the CISA KEV catalog. The risk is primarily derived from the ability of an external attacker to send a malicious HTTP request to the affected endpoint. Exploitation requires no privileged credentials and can be performed over the public network if the application is exposed. The absence of an EPSS score limits quantitative risk modeling, but the potential for arbitrary command execution makes it advisable to remediate promptly."}}}}, "created": "2026-03-27T08:35:48.835682+00:00", "updated": "2026-03-27T09:28:31.947515+00:00", "vendors": ["hcl", "hcl$PRODUCT$aftermarket_dpc"]}