CVE-2025-63690

Exploit

EPSS 0.72%
Veröffentlicht 07.11.2025 00:00:00
Zuletzt bearbeitet 08.12.2025 16:10:04
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

In pig-mesh Pig versions 3.8.2 and below, when setting up scheduled tasks in the Quartz management function under the system management module, it is possible to execute any Java class with a parameterless constructor and its methods with parameter type String through reflection. At this time, the eval method in Tomcat's built-in class jakarta.el.ELProcessor can be used to execute commands, leading to a remote code execution vulnerability.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 5

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Pig4cloud ≫ Pig Version <= 3.8.2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.72%	0.717

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0	9.1	2.3	6	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CWE-470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

The product uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code.

https://github.com/pig-mesh/pig/issues/1199

Broken Link

https://github.com/LockeTom/vulnerability/blob/main/md/pig_Remote_Code_Execution_Vulnerability.md

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2025-63690

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-63690

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-63690

EUVD