CVE-2025-31990

Published: Feb 7, 2026Modified: Feb 9, 2026

6.8

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H

Exploitability: 2.3 / Impact: 4.0

Source: psirt@hcl.com (Secondary)

Description

Rate limiting for certain API calls is not being enforced, making HCL Velocity vulnerable to Denial of Service (DoS) attacks. An attacker could flood the system with a large number of requests, overwhelming its resources and causing it to become unresponsive to legitimate users. This vulnerability is fixed in 5.1.7.

Related CWEs

CWE-770

Allocation of Resources Without Limits or Throttling

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

References (1)

https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0128585

Source: psirt@hcl.com

Timeline (4)

2/7/2026

4 changes

New CVE Received - Reference

04:15 AM

- -
+ https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0128585

New CVE Received - CWE

04:15 AM

- -
+ CWE-770

New CVE Received - CVSS V3.1

04:15 AM

- -
+ AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H

New CVE Received - Description

04:15 AM

- -
+ Rate limiting for certain API calls is not being enforced, making HCL Velocity vulnerable to Denial of Service (DoS) attacks.  An attacker could flood the system with a large number of requests, overwhelming its resources and causing it to become unresponsive to legitimate users.  This vulnerability is fixed in 5.1.7.