CVE-2025-58059
BaseFortify
Publication date: 2025-08-28
Last updated on: 2025-08-29
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| com.ritense.valtimo | core | * |
| valtimo | valtimo-backend-libraries | * |
| camunda | camunda_bpm | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-58059 is a critical vulnerability in the Valtimo platform's process automation system. It allows an authenticated administrator who can create, modify, and execute process definitions to exploit the scripting engine (used in Camunda or Operator engines) to run arbitrary commands on the application host and access sensitive data or system resources. This includes running executables, inspecting environment data, and accessing application internals like Spring beans and database connection pools. The vulnerability arises because the scripting engine did not properly restrict access to Java classes and system resources, enabling command injection and data exposure. It affects Valtimo versions before 12.16.0.RELEASE and from 13.0.0.RELEASE to before 13.1.2.RELEASE. The issue has been patched in versions 12.16.0 and 13.1.2. [1]
How can this vulnerability impact me? :
If exploited, this vulnerability can have severe impacts including unauthorized execution of arbitrary commands on the application host, exposure and extraction of sensitive data from the host environment and application properties, and unauthorized access to internal application components such as Spring beans and database connection pools. This can lead to full compromise of the application environment, data breaches, and potential disruption of services. The attacker must have admin privileges and knowledge of scripting within the platform to exploit this vulnerability. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability can negatively affect compliance with standards like GDPR and HIPAA because it allows unauthorized access to sensitive data and system resources, potentially leading to data breaches and exposure of personal or protected health information. Such breaches can violate data protection and privacy regulations, resulting in legal and financial consequences. Therefore, failing to patch or mitigate this vulnerability could put an organization at risk of non-compliance with these regulations. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves verifying if the Valtimo platform is running a vulnerable version (before 12.16.0.RELEASE or between 13.0.0.RELEASE and before 13.1.2.RELEASE) and if any admin users have the ability to create, modify, and execute process definitions with scripting enabled. Since exploitation requires admin privileges and scripting knowledge, monitoring for unusual script executions or process definition changes by admin users could indicate exploitation attempts. Specific commands are not provided in the resources, but checking the application version and reviewing process definitions for scripting tasks is recommended. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading the Valtimo platform to version 12.16.0.RELEASE or 13.1.2.RELEASE or later, where the vulnerability is patched. If upgrading is not immediately possible, disabling scripting in the process engine configuration by setting the scriptEngineResolver to null via a custom ProcessEnginePlugin implementation can serve as a workaround, though this may cause unexpected side effects and should be tested carefully. Additionally, applying the sandboxing whitelist plugin that restricts accessible Java classes in scripts can help mitigate risks. [1, 2]