CVE-2025-2622

MEDIUM

aizuda snail-job 1.4.0 - Deserialization

Title source: llm

Description

A vulnerability was found in aizuda snail-job 1.4.0. It has been classified as critical. Affected is the function getRuntime of the file /snail-job/workflow/check-node-expression of the component Workflow-Task Management Module. The manipulation of the argument nodeExpression leads to deserialization. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

References (5)

[Exploit, Issue Tracking, Third Party Advisory] https://gitee.com/aizuda/snail-job/issues/IBSQ24

[Exploit, Issue Tracking, Third Party Advisory] https://gitee.com/aizuda/snail-job/issues/IBSQ24#note_38500450_link

[Permissions Required, VDB Entry] https://vuldb.com/?ctiid.300624

[Third Party Advisory, VDB Entry] https://vuldb.com/?id.300624

[Exploit, Third Party Advisory, VDB Entry] https://vuldb.com/?submit.518999

Scores

CVSS v3 6.3

EPSS 0.0014

EPSS Percentile 34.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Classification

CWE

CWE-502 CWE-20

Status published

Affected Products (2)

aizuda/snail-job

com.aizuda/snail-job Maven

Timeline

Published Mar 22, 2025

Tracked Since Feb 18, 2026