← back
CVE-2025-3648

Data Inference in Now Platform via Conditional ACLs

CVSS 8.2 HIGHEPSS 1.7%CWE-1220
In short

A vulnerability in ServiceNow's Now Platform allows users to infer sensitive data they shouldn't access by using range queries, even when access controls are in place. This happens because certain conditional ACL configurations don't properly block these indirect data discovery attempts.

Technical detail

The vulnerability exploits insufficient validation in conditional ACL enforcement against range query requests, allowing both authenticated and unauthenticated users to infer instance data through inference attacks. The issue stems from improper filtering logic in query parameter handling, potentially exposing data not intended for the requester's privilege level. ServiceNow has released Query ACLs, Security Data Filters, and Deny-Unless ACL frameworks to mitigate this CWE-1220 data inference vulnerability.

Summary generated and translated by AI from the official description.
A vulnerability has been identified in the Now Platform that could result in data being inferred without authorization. Under certain conditional access control list (ACL) configurations, this vulnerability could enable unauthenticated and authenticated users to use range query requests to infer instance data that is not intended to be accessible to them. To assist customers in enhancing access controls, ServiceNow has introduced additional access control frameworks in Xanadu and Yokohama, such as Query ACLs, Security Data Filters and Deny-Unless ACLs. Additionally, in May 2025, ServiceNow delivered to customers a security update that is designed to enhance customer ACL configurations. Customers, please review the KB Articles in the References section.
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Affected products
ServiceNow · Now Platform

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB2046494https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB2139567https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB2256712