CVE-2025-61982
Received Received - Intake
Arbitrary Code Execution in OpenCFD OpenFOAM 2506 Directive

Publication date: 2026-02-18

Last updated on: 2026-02-18

Assigner: Talos

Description
An arbitrary code execution vulnerability exists in the Code Stream directive functionality of OpenCFD OpenFOAM 2506. A specially crafted OpenFOAM simulation file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-18
Last Modified
2026-02-18
Generated
2026-06-16
AI Q&A
2026-02-18
EPSS Evaluated
2026-06-15
NVD
CVE-2025-61982
EUVD
EUVD-2025-207855
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
opencfd openfoam 2506
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-61982 is an arbitrary code execution vulnerability found in the Code Stream directive functionality of OpenCFD OpenFOAM version 2506.

OpenFOAM uses dictionary files to specify simulation settings, and these files can include a special directive called #codeStream that allows embedding arbitrary C++ code.

This embedded code is automatically compiled and executed during simulation, which can include dangerous calls such as system(), enabling an attacker to execute arbitrary code remotely by providing a specially crafted simulation file.

By default, the configuration option allowSystemOperations is set to true, allowing this automatic code execution without warning, which makes the system vulnerable.

Mitigation involves setting allowSystemOperations to false in the OpenFOAM configuration file to disable this behavior.

Impact Analysis

This vulnerability allows an attacker to execute arbitrary code on the system running OpenFOAM by supplying a malicious simulation file.

Successful exploitation can lead to full compromise of confidentiality, integrity, and availability of the affected system.

  • Confidentiality impact: attacker can access sensitive data.
  • Integrity impact: attacker can modify or corrupt data or simulation results.
  • Availability impact: attacker can disrupt or disable the simulation software or the host system.

The vulnerability has a high CVSS score of 7.8, indicating a serious security risk.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by inspecting OpenFOAM configuration files for the presence and value of the allowSystemOperations option. Since the vulnerability arises from the automatic execution of code embedded via the #codeStream directive in dictionary files, checking whether allowSystemOperations is set to true (or absent, which defaults to true) is critical.'}, {'type': 'paragraph', 'content': 'A practical detection method is to search for the allowSystemOperations setting in OpenFOAM configuration files and verify if it is set to false. Additionally, scanning for the presence of #codeStream directives in simulation dictionary files can help identify potentially malicious or vulnerable configurations.'}, {'type': 'list_item', 'content': 'Use grep or similar commands to find the allowSystemOperations setting, for example: grep -r allowSystemOperations /path/to/OpenFOAM/'}, {'type': 'list_item', 'content': "Search for #codeStream directives in dictionary files: grep -r '#codeStream' /path/to/OpenFOAM/"}] [1]

Mitigation Strategies

The immediate mitigation step is to explicitly disable the automatic execution of arbitrary code by setting the allowSystemOperations option to false in the OpenFOAM configuration files.

  • Edit the relevant OpenFOAM configuration file(s) and add or modify the line: allowSystemOperations 0

This setting prevents the automatic compilation and execution of embedded C++ code via the #codeStream directive, effectively mitigating the vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-61982. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart