CVE-2025-26074
BaseFortify
Publication date: 2025-06-30
Last updated on: 2025-06-30
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-26074 is a remote code execution vulnerability in Orkes Conductor v3.21.11 caused by unsafe use of the Nashorn JavaScript engine. The engine executes inline JavaScript tasks without proper restrictions, allowing attackers to inject Java code through these scripts. This enables execution of arbitrary OS commands remotely, such as opening a reverse shell on the Conductor server, by sending a specially crafted workflow request. [1]
How can this vulnerability impact me? :
This vulnerability can allow remote attackers to gain full control over the Conductor server by executing arbitrary operating system commands. An attacker can open a reverse shell, effectively taking over the server, which can lead to data theft, service disruption, or further network compromise. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your Conductor OSS deployment allows execution of inline JavaScript tasks without the --no-java flag enabled in the Nashorn engine. You can test for exploitation by sending a crafted POST request to the workflow API endpoint with a malicious payload that attempts to execute OS commands. For example, using curl: curl -X POST http://<conductor-host>:8080/api/workflow/WorkflowRce with a payload containing the expression that executes a reverse shell. Monitoring for unexpected outbound connections or unusual process executions on the Conductor server can also indicate exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Never expose Conductor OSS to the public internet to reduce attack surface. 2) Limit permissions to define or update workflows only to trusted users. 3) Upgrade Conductor OSS to version 3.21.13 or later, where the vulnerability is fixed by enforcing the --no-java flag in Nashorn, preventing Java class access from inline JavaScript. These steps will prevent attackers from injecting and executing arbitrary OS commands via inline JavaScript. [1]