CVE-2025-64319 Overview
CVE-2025-64319 is an Incorrect Permission Assignment for Critical Resource vulnerability [CWE-732] affecting Salesforce MuleSoft Anypoint Code Builder versions before 1.12.1. The flaw allows an attacker to manipulate writeable configuration files that should be restricted. Successful exploitation impacts the integrity of the affected application without requiring authentication or user interaction. Salesforce addressed the issue in version 1.12.1 and published guidance in a customer help article.
Critical Impact
Attackers can modify configuration files in MuleSoft Anypoint Code Builder over the network, altering application behavior and integrity without prior authentication.
Affected Products
- Salesforce MuleSoft Anypoint Code Builder versions before 1.12.1
- Development environments integrating Anypoint Code Builder for MuleSoft application design
- Deployments relying on default Anypoint Code Builder configuration permissions
Discovery Timeline
- 2025-11-04 - CVE-2025-64319 published to the National Vulnerability Database (NVD)
- 2026-06-17 - Last updated in the NVD database
Technical Details for CVE-2025-64319
Vulnerability Analysis
The vulnerability stems from incorrect permission assignment on critical configuration resources within MuleSoft Anypoint Code Builder. Configuration files that should be restricted to privileged users are made writeable to unintended principals. An attacker able to reach the affected component can modify these files to alter runtime behavior. The issue affects the integrity of the application while confidentiality and availability remain unaffected according to the published CVSS vector.
Because Anypoint Code Builder underpins MuleSoft application development, tampered configuration can propagate into downstream integration flows. Malicious modifications to build or environment configuration may influence how APIs, connectors, and deployment artifacts are produced. This creates a supply-chain style risk for organizations that rely on the tool for production integrations.
Root Cause
The root cause is an [CWE-732] Incorrect Permission Assignment for Critical Resource weakness. Anypoint Code Builder assigns overly permissive write access to configuration files that govern application settings. The permission model fails to enforce least privilege on these resources, enabling unauthorized modification.
Attack Vector
The attack vector is network based and requires no privileges or user interaction. An unauthenticated remote attacker who can reach the affected Anypoint Code Builder instance can write to configuration files that should be protected. The exploit does not require complex conditions, and successful manipulation directly affects application integrity. No public proof-of-concept or in-the-wild exploitation has been reported at the time of publication.
Detection Methods for CVE-2025-64319
Indicators of Compromise
- Unexpected modifications to MuleSoft Anypoint Code Builder configuration files outside of authorized change windows.
- File integrity monitoring alerts on Anypoint workspace or project configuration directories.
- Anomalous network requests to Anypoint Code Builder endpoints from untrusted sources.
- Configuration drift between Anypoint Code Builder projects and their source-of-truth repositories.
Detection Strategies
- Deploy file integrity monitoring (FIM) on Anypoint Code Builder configuration directories to flag unauthorized writes.
- Compare running configuration against version-controlled baselines to detect unsanctioned changes.
- Correlate configuration file write events with authenticated user activity to identify anomalous modifications.
- Review Anypoint Platform audit logs for configuration changes lacking a corresponding developer action.
Monitoring Recommendations
- Enable verbose logging on the Anypoint Code Builder host and forward logs to a centralized SIEM.
- Monitor outbound connections from Anypoint Code Builder for signs of exfiltration following configuration tampering.
- Alert on privilege changes or ACL modifications targeting Anypoint Code Builder installation paths.
How to Mitigate CVE-2025-64319
Immediate Actions Required
- Upgrade Salesforce MuleSoft Anypoint Code Builder to version 1.12.1 or later without delay.
- Restrict network access to Anypoint Code Builder instances so only trusted developer networks can reach them.
- Audit existing Anypoint Code Builder configuration file permissions and remove world-writable or group-writable flags.
- Rotate any credentials or secrets that may have been referenced in configuration files prior to patching.
Patch Information
Salesforce released a fixed build in Anypoint Code Builder version 1.12.1. Customers should follow the guidance in the Salesforce Help Article to identify affected installations and apply the update. Verify the upgrade by confirming the reported version and re-running any customized configuration hardening steps after the update.
Workarounds
- Apply operating system level access controls to configuration directories used by Anypoint Code Builder until the patch is installed.
- Place Anypoint Code Builder behind a VPN or zero-trust access proxy to eliminate exposure to unauthenticated network callers.
- Store sensitive configuration in externalized secret managers rather than local writeable files where feasible.
- Enable file integrity monitoring to detect and alert on any unauthorized configuration changes during the mitigation window.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

