CVE-2025-13426

Apigee JavaCallout < - RCE

Title source: llm

Description

A vulnerability exists in Google Apigee's JavaCallout policy https://docs.apigee.com/api-platform/reference/policies/java-callout-policy that allows for remote code execution. It is possible for a user to write a JavaCallout that injected a malicious object into the MessageContext to execute arbitrary Java code and system commands at runtime, leading to unauthorized access to data, lateral movement within the network, and access to backend systems. The Apigee hybrid versions below have all been updated to protect from this vulnerability: * Hybrid_1.11.2+ * Hybrid_1.12.4+ * Hybrid_1.13.3+ * Hybrid_1.14.1+ * OPDK_5202+ * OPDK_5300+

References (1)

[Various Sources] https://docs.cloud.google.com/apigee/docs/hybrid/release-notes#March_01_2025

Scores

EPSS 0.0048

EPSS Percentile 64.5%

Classification

CWE

CWE-913

Status draft

Timeline

Published Dec 05, 2025

Tracked Since Feb 18, 2026