CVE-2025-53192

HIGH LAB

Apache Commons OGNL - Code Injection

Title source: llm

Description

** UNSUPPORTED WHEN ASSIGNED ** Improper Neutralization of Expression/Command Delimiters vulnerability in Apache Commons OGNL. This issue affects Apache Commons OGNL: all versions. When using the API Ognl.getValue​, the OGNL engine parses and evaluates the provided expression with powerful capabilities, including accessing and invoking related methods, etc. Although OgnlRuntime attempts to restrict certain dangerous classes and methods (such as java.lang.Runtime) through a blocklist, these restrictions are not comprehensive. Attackers may be able to bypass the restrictions by leveraging class objects that are not covered by the blocklist and potentially achieve arbitrary code execution. As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Exploits (1)

github WORKING POC 1 stars
by exploitintel · pythonpoc
https://github.com/exploitintel/eip-pocs-and-cves/tree/main/CVE-2025-53192

References (2)

Scores

CVSS v3 8.8
EPSS 0.0006
EPSS Percentile 19.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Lab Environment

EIP LAB Lab screenshot
vulnerable docker pull ghcr.io/exploitintel/cve-2025-53192-vulnerable:latest

Details

CWE
CWE-146
Status published
Products (1)
apache/commons_ognl
Published Aug 18, 2025
Tracked Since Feb 18, 2026