CVE-2025-13426

HIGH

Google Cloud Apigee hybrid Javacallout policy - Remote Code Execution via Malicious MessageContext Object Injection

Title source: llm

Description

A vulnerability exists in Google Apigee's JavaCallout policy https://docs.apigee.com/api-platform/reference/policies/java-callout-policy that allows for remote code execution. It is possible for a user to write a JavaCallout that injected a malicious object into the MessageContext to execute arbitrary Java code and system commands at runtime, leading to unauthorized access to data, lateral movement within the network, and access to backend systems. The Apigee hybrid versions below have all been updated to protect from this vulnerability: * Hybrid_1.11.2+ * Hybrid_1.12.4+ * Hybrid_1.13.3+ * Hybrid_1.14.1+ * OPDK_5202+ * OPDK_5300+

References (1)

Core 1

Core References

Various Sources

https://docs.cloud.google.com/apigee/docs/hybrid/release-notes#March_01_2025

Scores

CVSS v4 8.7

EPSS 0.0039

EPSS Percentile 30.2%

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/U:Clear

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-913

Status published

Products (6)

Google Cloud/Apigee hybrid Javacallout policy < Hybrid_1.11.2

Google Cloud/Apigee hybrid Javacallout policy < Hybrid_1.12.4

Google Cloud/Apigee hybrid Javacallout policy < Hybrid_1.13.3

Google Cloud/Apigee hybrid Javacallout policy < Hybrid_1.14.1

Google Cloud/Apigee hybrid Javacallout policy < OPDK_5202

Google Cloud/Apigee hybrid Javacallout policy < OPDK_5300

Published Dec 05, 2025

Tracked Since Feb 18, 2026