CVE-2025-63690
BaseFortify
Publication date: 2025-11-07
Last updated on: 2025-12-08
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pig4cloud | pig | to 3.8.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-470 | The product uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in pig-mesh Pig versions 3.8.2 and below. It occurs in the Quartz management function under the system management module when setting up scheduled tasks. An attacker can exploit this by executing any Java class that has a parameterless constructor and methods with a String parameter type through reflection. Specifically, the eval method in Tomcat's built-in class jakarta.el.ELProcessor can be used to execute arbitrary commands, resulting in remote code execution.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to remotely execute arbitrary code on the affected system. This means the attacker could potentially take full control of the system, execute malicious commands, access sensitive data, disrupt services, or use the system as a foothold for further attacks.