CVE-2025-14674
Remote Code Injection in Aizuda Snail-Job QLExpressEngine
Publication date: 2025-12-14
Last updated on: 2026-02-24
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| aizuda | snail-job | 1.7.0-beta1 |
| aizuda | snail-job | 1.6.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
| CWE-707 | The product does not ensure or incorrectly ensures that structured messages or data are well-formed and that certain security properties are met before being read from an upstream component or sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-14674 is an expression injection vulnerability in the Snail-Job software (versions up to 1.6.0), specifically in the QLExpressEngine.doEval method. This method evaluates user-supplied expressions without sufficient security controls, allowing attackers to submit crafted expressions through the /workflow/check-node-expression API endpoint. These malicious expressions can bypass existing blacklists and lead to remote code execution (RCE) on the server, enabling attackers to run arbitrary commands remotely. [1, 3]
How can this vulnerability impact me? :
Exploitation of this vulnerability allows an attacker to execute arbitrary code remotely on the affected server. This can compromise the confidentiality, integrity, and availability of the system by enabling unauthorized command execution, potentially leading to full system compromise, data breaches, or service disruption. [1, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring and analyzing requests to the `/workflow/check-node-expression` API endpoint, which is exploited by submitting crafted expressions to the QLExpressEngine.doEval method. Detection involves looking for suspicious or unusual expressions, especially those attempting JNDI lookups like `javax.naming.InitialContext.doLookup`. Network or application logs should be inspected for POST requests to this endpoint containing such payloads. Specific commands are not provided in the resources, but monitoring HTTP POST requests to `/workflow/check-node-expression` and searching for payloads containing `javax.naming.InitialContext.doLookup` or similar suspicious expressions is recommended. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the affected Snail-Job software to version 1.7.0-beta1, which includes a patch fixing this vulnerability. Additionally, enhancing the blacklist to block dangerous expressions such as `javax.naming.InitialContext.doLookup` and implementing stricter input validation and sandboxing of expression evaluation are recommended to prevent exploitation. Applying the patch identified by commit 978f316c38b3d68bb74d2489b5e5f721f6675e86 is also advised if upgrading is not immediately possible. [1, 2, 4]