CVE-2025-14674

MEDIUM

aizuda snail-job <1.6.0 - Code Injection

Title source: llm

Description

A vulnerability was found in aizuda snail-job up to 1.6.0. Affected by this vulnerability is the function QLExpressEngine.doEval of the file snail-job-common/snail-job-common-core/src/main/java/com/aizuda/snailjob/common/core/expression/strategy/QLExpressEngine.java. The manipulation results in injection. The attack can be launched remotely. Upgrading to version 1.7.0-beta1 addresses this issue. The patch is identified as 978f316c38b3d68bb74d2489b5e5f721f6675e86. The affected component should be upgraded.

References (7)

[Permissions Required, VDB Entry] https://vuldb.com/?id.336403

[Permissions Required, VDB Entry] https://vuldb.com/?ctiid.336403

[Issue Tracking] https://gitee.com/aizuda/snail-job/issues/ICNUG0

[Issue Tracking] https://gitee.com/aizuda/snail-job/issues/ICNUG0#note_44321424_link

[Patch] https://gitee.com/aizuda/snail-job/commit/978f316c38b3d68bb74d2489b5e5f721f6675e86

[Release Notes] https://gitee.com/aizuda/snail-job/releases/tag/vsj1.7.0-beta1

[Various Sources] https://gitee.com/aizuda/snail-job/

Scores

CVSS v3 6.3

EPSS 0.0003

EPSS Percentile 8.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-707 CWE-74

Status published

Products (9)

aizuda/snail-job 1.0

aizuda/snail-job 1.1

aizuda/snail-job 1.2

aizuda/snail-job 1.3

aizuda/snail-job 1.4

aizuda/snail-job 1.5

aizuda/snail-job 1.6.0

aizuda/snail-job 1.7.0-beta1

com.aizuda/snail-job 0 - 1.7.0-beta1Maven

Published Dec 14, 2025

Tracked Since Feb 18, 2026