oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2025-59302: Apache CloudStack: Potential remote code execution on Javascript engine defined rules

From: Harikrishna Patnala <harikrishna () apache org>
Date: Thu, 27 Nov 2025 06:35:16 +0000
Severity: low 

Affected versions:

- Apache CloudStack 4.18.0 before 4.20.2
- Apache CloudStack 4.21.0 before 4.22.0

Description:

In  Apache CloudStack improper control of generation of code ('Code Injection') vulnerability is found in the following 
APIs which are accessible only to admins.

  *  quotaTariffCreate
  *  quotaTariffUpdate
  *  createSecondaryStorageSelector
  *  updateSecondaryStorageSelector
  *  updateHost
  *  updateStorage


This issue affects Apache CloudStack: from 4.18.0 before 4.20.2, from 4.21.0 before 4.22.0. Users are recommended to 
upgrade to versions 4.20.2 or 4.22.0, which contain the fix.

The fix introduces a new global configuration flag, js.interpretation.enabled, allowing administrators to control the 
interpretation of JavaScript expressions in these APIs, thereby mitigating the code injection risk.

Credit:

Tianyi Cheng <chengtianyi () huawei com> (finder)

References:

https://cloudstack.apache.org/
https://www.cve.org/CVERecord?id=CVE-2025-59302
Previous By Date Next
Previous By Thread Next

Current thread: