CVE-2025-61138 Overview
CVE-2025-61138 is an information disclosure vulnerability in Qlik Sense Enterprise version 14.212.13. The flaw exposes sensitive content through the /dev-hub/ directory, which is accessible without authentication. Unauthenticated network attackers can retrieve information intended for restricted access. The weakness is categorized under [CWE-538] (Insertion of Sensitive Information into Externally-Accessible File or Directory).
Critical Impact
Remote, unauthenticated attackers can enumerate the /dev-hub/ directory on affected Qlik Sense Enterprise deployments and harvest sensitive information that supports follow-on attacks against analytics environments.
Affected Products
- Qlik Qlik Sense Enterprise 14.212.13
- CPE: cpe:2.3:a:qlik:qlik_sense:14.212.13:*:*:*:enterprise:*:*:*
- Component: qlik:qlik_sense
Discovery Timeline
- 2025-11-20 - CVE-2025-61138 published to the National Vulnerability Database (NVD)
- 2025-12-10 - Last updated in NVD database
Technical Details for CVE-2025-61138
Vulnerability Analysis
Qlik Sense Enterprise ships with a developer-focused interface mounted at the /dev-hub/ URL path. In version 14.212.13, this directory returns sensitive information to clients that have not authenticated to the platform. An attacker only needs network reachability to the Qlik Sense web tier to trigger the disclosure.
The weakness maps to [CWE-538], where sensitive information is inserted into a directory that is externally accessible. Because Qlik Sense is typically deployed as a business intelligence platform, the /dev-hub/ endpoint may expose application metadata, scripts, or environment details that aid further reconnaissance. The vulnerability impacts confidentiality only; integrity and availability are not affected.
Root Cause
The root cause is improper access control on the /dev-hub/ directory in Qlik Sense Enterprise 14.212.13. The web tier serves resources from this path without enforcing authentication or authorization checks. Content meant for development and administrative use becomes reachable by anonymous clients.
Attack Vector
The attack vector is network-based and requires no privileges or user interaction. An attacker sends an HTTP request to https://<qlik-host>/dev-hub/ on an exposed Qlik Sense Enterprise instance. The server returns information from the development hub directory. No authentication challenge is presented. Internet-exposed deployments are at the highest risk, but internal attackers with network access to the analytics tier can also exploit the issue.
The vulnerability mechanism is described in the published proof-of-concept. See the GitHub PoC Repository for technical details and request examples.
Detection Methods for CVE-2025-61138
Indicators of Compromise
- Unauthenticated HTTP GET requests to /dev-hub/ and child paths in Qlik Sense Enterprise web server access logs
- Requests to /dev-hub/ originating from external IP addresses or non-developer source networks
- Reconnaissance patterns combining /dev-hub/ enumeration with subsequent probes of other Qlik Sense API endpoints
Detection Strategies
- Review Qlik Sense Proxy Service and reverse proxy logs for /dev-hub/ requests that complete with HTTP 200 responses and lack a valid authenticated session identifier.
- Correlate web server logs with identity provider logs to flag /dev-hub/ access that has no corresponding authentication event.
- Hunt for directory enumeration patterns where a single source issues sequential requests under the /dev-hub/ path.
Monitoring Recommendations
- Forward Qlik Sense web tier and proxy logs to a centralized analytics platform and alert on anonymous access to /dev-hub/.
- Add a web application firewall (WAF) rule that records and alerts on any external requests to the /dev-hub/ path.
- Track the affected version 14.212.13 in your software inventory and flag unpatched hosts during vulnerability scans.
How to Mitigate CVE-2025-61138
Immediate Actions Required
- Inventory all Qlik Sense Enterprise instances and identify any running version 14.212.13.
- Restrict network access to the Qlik Sense web tier so the /dev-hub/ path is not reachable from untrusted networks or the public internet.
- Block or return HTTP 403 for unauthenticated requests to /dev-hub/ at the reverse proxy or WAF layer.
- Review historical access logs for prior unauthenticated requests to /dev-hub/ and treat any disclosed information as potentially compromised.
Patch Information
No vendor patch identifier is listed in the available CVE data. Monitor the Qlik security advisories and official Qlik support channels for an updated build that addresses CVE-2025-61138, and upgrade away from version 14.212.13 once a fixed release is available.
Workarounds
- Place Qlik Sense Enterprise behind an authenticating reverse proxy that enforces access control on the /dev-hub/ path.
- Disable the Dev Hub feature in environments where it is not required for production analytics development.
- Limit /dev-hub/ access to a defined administrative IP allowlist using network ACLs or WAF rules until a vendor fix is applied.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
