CVE-2025-11919
Received Received - Intake
JVM Classpath Hijacking via Temporary Directory Manipulation

Publication date: 2026-06-26

Last updated on: 2026-06-26

Assigner: CERT/CC

Description
The default JVM can access files and directories under `/tmp/` including the `$TemporaryDirectory` of other users on the same cloud instance (`/tmp/UserTemporaryFiles/`). The `-init` file for the the JVM initialization exists in the vulnerable directory during the startup of the JVM. An attacker with access to the shared `/tmp/` space can preemptively create or replace `.jar` files or directories (via the `-init` file) that the victim JVM will resolve first in its classpath. By strategically placing a malicious version of a commonly used library (e.g., `commons-io`) in a location that is included in the classpath before the legitimate version, an attacker can cause the JVM to load the malicious class during startup, thereby executing the attacker's code.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-26
Last Modified
2026-06-26
Generated
2026-06-26
AI Q&A
2026-06-26
EPSS Evaluated
N/A
NVD
CVE-2025-11919
EUVD
EUVD-2025-210362
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wolfram cloud to 14.2.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-11919 is a vulnerability in Wolfram Cloud version 14.2 that arises from insecure handling of the shared /tmp/ directory in a multi-tenant cloud environment. During the Java Virtual Machine (JVM) initialization, the JVM accesses files and directories under /tmp/, including temporary directories of other users. An attacker with access to this shared space can create or replace .jar files or directories that the JVM will load first in its classpath, such as a malicious version of a commonly used library like commons-io.

By exploiting this race condition, the attacker can cause the JVM to load and execute malicious code during startup, leading to arbitrary code execution within the victim's JVM process.

Impact Analysis

This vulnerability can have severe impacts including privilege escalation, information disclosure, and remote code execution within the affected cloud environment.

  • Attackers can gain unauthorized access to other users' temporary directories.
  • They can execute arbitrary malicious code in the context of another user's JVM process.
  • This can lead to data exfiltration and lateral movement within the shared cloud environment.
  • The attack requires no user interaction and can be triggered predictably if the attacker knows when other users launch Java processes.
Detection Guidance

Detection of this vulnerability involves checking for unauthorized or suspicious files in the shared /tmp/ directory, especially looking for malicious .jar files or -init files that could be used to manipulate the JVM classpath.

You can list files in the /tmp/ directory and subdirectories related to other users' temporary files to identify unexpected or suspicious entries.

  • Use commands like `ls -la /tmp/` and `find /tmp/ -name '*.jar'` to locate potentially malicious jar files.
  • Check for the presence of -init files in /tmp/ directories with `find /tmp/ -name '*-init*'`.
  • Monitor JVM startup logs for unusual classpath entries or errors indicating loading of unexpected libraries.
Mitigation Strategies

Immediate mitigation steps include restricting access to the shared /tmp/ directory to prevent unauthorized users from creating or replacing files.

Hardening the JVM classpath resolution process to avoid loading malicious libraries from untrusted locations is critical.

Implement per-user sandboxing to isolate temporary directories and prevent cross-user access.

Upgrade Wolfram Cloud to version 14.2.1 or later, where this vulnerability has been patched.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-11919. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart