CVE-2025-53192
BaseFortify
Publication date: 2025-08-18
Last updated on: 2025-11-04
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | commons_ognl | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-146 | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as expression or command delimiters when they are sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an Improper Neutralization of Expression/Command Delimiters in Apache Commons OGNL. The OGNL engine evaluates expressions with powerful capabilities, including method invocation. Although there is a blocklist to restrict dangerous classes and methods, it is not comprehensive. Attackers can bypass these restrictions using class objects not covered by the blocklist, potentially leading to arbitrary code execution.
How can this vulnerability impact me? :
If exploited, this vulnerability can allow attackers to execute arbitrary code on the affected system. This could lead to unauthorized actions, data compromise, or system control by attackers. Since the project is retired and no fix will be released, users must either restrict access to trusted users or migrate to alternatives.
What immediate steps should I take to mitigate this vulnerability?
Since Apache Commons OGNL is retired and no fixed version will be released, immediate mitigation steps include finding an alternative to Apache Commons OGNL or restricting access to the affected instance to trusted users only.