CVE-2025-53192

HIGH LAB

Apache Commons OGNL - Code Injection

Title source: llm

Description

** UNSUPPORTED WHEN ASSIGNED ** Improper Neutralization of Expression/Command Delimiters vulnerability in Apache Commons OGNL. This issue affects Apache Commons OGNL: all versions. When using the API Ognl.getValue​, the OGNL engine parses and evaluates the provided expression with powerful capabilities, including accessing and invoking related methods, etc. Although OgnlRuntime attempts to restrict certain dangerous classes and methods (such as java.lang.Runtime) through a blocklist, these restrictions are not comprehensive. Attackers may be able to bypass the restrictions by leveraging class objects that are not covered by the blocklist and potentially achieve arbitrary code execution. As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Exploits (1)

github WORKING POC 1 stars
by exploitintel · pythonpoc
https://github.com/exploitintel/eip-pocs-and-cves/tree/main/CVE-2025-53192

References (2)

Scores

CVSS v3 8.8
EPSS 0.0003
EPSS Percentile 8.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Lab Environment

Lab screenshot
vulnerable
docker pull ghcr.io/exploitintel/cve-2025-53192-vulnerable:latest
All Labs GitHub

Classification

CWE
CWE-146
Status published

Affected Products (1)

apache/commons_ognl

Timeline

Published Aug 18, 2025
Tracked Since Feb 18, 2026