CVE-2025-11919

CRITICAL

Unprotected temporary directories in Wolfram Cloud may result in privilege escalation

Title source: cna
STIX 2.1

Description

The default JVM can access files and directories under `/tmp/` including the `$TemporaryDirectory` of other users on the same cloud instance (`/tmp/UserTemporaryFiles/`). The `-init` file for the the JVM initialization exists in the vulnerable directory during the startup of the JVM. An attacker with access to the shared `/tmp/` space can preemptively create or replace `.jar` files or directories (via the `-init` file) that the victim JVM will resolve first in its classpath. By strategically placing a malicious version of a commonly used library (e.g., `commons-io`) in a location that is included in the classpath before the legitimate version, an attacker can cause the JVM to load the malicious class during startup, thereby executing the attacker's code.

Scores

CVSS v3 9.6
EPSS 0.0040
EPSS Percentile 32.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

Status published
Products (1)
Wolfram Research Inc./Cloud 14.2
Published Jun 26, 2026
Tracked Since Jun 26, 2026