CVE-2025-14591 Overview
CVE-2025-14591 affects Perforce Delphix Continuous Compliance version 2025.3.0 and later. A recent bug fix changed how the product handles Carriage Return + Line Feed (CR+LF) End-of-Record (EOR) characters in delimited files. The change introduced a configuration-sensitive parsing issue. When operators select an incorrect EOR setting, the masking engine parses records inaccurately and leaves personally identifiable information (PII) unmasked in the output. The flaw is tracked under CWE-200: Exposure of Sensitive Information to an Unauthorized Actor.
Critical Impact
Misconfigured EOR handling in delimited file masking jobs can produce output files where PII fields remain in cleartext, defeating the compliance control intended to protect that data.
Affected Products
- Perforce Delphix Continuous Compliance 2025.3.0
- Perforce Delphix Continuous Compliance versions later than 2025.3.0
- Delimited file masking workflows using CR+LF (Windows/DOS) record terminators
Discovery Timeline
- 2025-12-20 - CVE-2025-14591 published to the National Vulnerability Database (NVD)
- 2026-01-05 - Last updated in NVD database
Technical Details for CVE-2025-14591
Vulnerability Analysis
Delphix Continuous Compliance masks sensitive data inside structured and semi-structured sources, including delimited (CSV-style) flat files. Each record in a delimited file is separated by an End-of-Record sequence. Windows and DOS systems typically use CR+LF (\r\n), while Unix systems use LF (\n).
In version 2025.3.0, Perforce shipped a fix to correctly recognize CR+LF as a single EOR sequence. The fix altered tokenization behavior in a way that depends on the EOR option the user selects for each masking job. When the configured EOR does not match the bytes actually present in the input file, the parser misaligns fields against column definitions. Columns flagged for masking no longer line up with their underlying values, so the masking algorithm either skips them or writes the masked value to the wrong column. The original PII data passes through unchanged.
The vulnerability is network-reachable by authenticated users who can submit or modify masking job configurations, and exploitation does not require user interaction.
Root Cause
The root cause is improper input validation in the delimited file parser combined with operator-controlled EOR configuration. The parser trusts the configured EOR character set rather than detecting it from the file contents. A mismatch between configuration and file format causes record and field boundaries to be calculated incorrectly, which prevents the masking rules from being applied to the intended fields.
Attack Vector
An authenticated user with permission to define or edit a masking job can select an EOR option that does not match the source file. The job completes without error, but the resulting file contains unmasked PII. The exposure is data-level — confidentiality of the masked output is broken — while integrity and availability of the Delphix platform itself are not affected. The issue can also be triggered unintentionally during routine job configuration, making accidental data leakage as likely as deliberate misuse.
No public proof-of-concept exploit, ExploitDB entry, or CISA KEV listing exists for this CVE at the time of writing.
Detection Methods for CVE-2025-14591
Indicators of Compromise
- Masked output files from Delphix Continuous Compliance 2025.3.0 or later that still contain recognizable PII values such as Social Security Numbers, email addresses, or payment card numbers.
- Masking job logs that report success but show row counts or field counts inconsistent with the source file structure.
- Delimited file masking jobs whose EOR setting was changed after upgrading to 2025.3.0.
Detection Strategies
- Run automated PII scanners (regex or classifier-based) over post-masking output files and alert when matches are found in columns that should be masked.
- Compare field counts per row between input and output files. A mismatch indicates EOR misparsing.
- Audit masking job definitions for delimited file sources and verify the configured EOR value matches the actual file encoding using a hex dump or file inspection.
Monitoring Recommendations
- Log and review every change to masking job configurations, especially EOR, delimiter, and quote character fields.
- Track the Delphix Continuous Compliance version in asset inventories and flag any host running 2025.3.0 or later for re-validation of masking output.
- Establish a recurring sample-based review of masked deliverables before they are released to downstream environments.
How to Mitigate CVE-2025-14591
Immediate Actions Required
- Identify all masking jobs that process delimited files on Delphix Continuous Compliance 2025.3.0 and later.
- Verify that the EOR configuration on each job matches the actual record terminator (\r\n for Windows/DOS, \n for Unix) used by the source files.
- Re-run any masking jobs whose EOR setting cannot be confirmed and validate the output for residual PII before distribution.
- Review Perforce guidance in Perforce Article TB137 and the Perforce CVE PII Leak Advisory.
Patch Information
Perforce has documented the issue and required corrective configuration in vendor advisory TB137 and the dedicated CVE advisory page. Apply the vendor's published guidance and any associated product updates for Delphix Continuous Compliance. Refer to the Perforce Article TB137 for the authoritative remediation steps.
Workarounds
- Standardize source file formats before masking. Convert all delimited input files to a single, known EOR convention upstream of Delphix.
- Add a post-masking validation step that scans output files for PII patterns and blocks delivery on any match.
- Restrict masking job configuration privileges to a small group of trained operators to reduce the chance of EOR misconfiguration.
# Confirm the actual End-of-Record bytes in a delimited input file before configuring a job.
# CR+LF (Windows/DOS) appears as 0d 0a; LF (Unix) appears as 0a.
head -n 2 input_file.csv | xxd | tail -n 5
# Quick check for residual PII patterns in a masked output file (example: US SSN format).
grep -E '\b[0-9]{3}-[0-9]{2}-[0-9]{4}\b' masked_output.csv && \
echo 'POSSIBLE UNMASKED PII - REVIEW BEFORE RELEASE'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
