CVE-2025-5680
MEDIUMAgileBPM < 2.5.0 - Deserialization via Groovy Script Handler
Title source: llmDescription
A vulnerability classified as critical was found in Shenzhen Dashi Tongzhou Information Technology AgileBPM up to 2.5.0. Affected by this vulnerability is the function executeScript of the file /src/main/java/com/dstz/sys/rest/controller/SysScriptController.java of the component Groovy Script Handler. The manipulation of the argument script leads to deserialization. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
References (4)
Core 4
Core References
Third Party Advisory, VDB Entry vdb-entry
technical-description
https://vuldb.com/?id.311167
Permissions Required, VDB Entry signature
permissions-required
https://vuldb.com/?ctiid.311167
Third Party Advisory, VDB Entry third-party-advisory
https://vuldb.com/?submit.585108
Exploit, Issue Tracking, Vendor Advisory exploit
issue-tracking
https://gitee.com/agile-bpm/agile-bpm-basic/issues/ICAPT5
Scores
CVSS v3
6.3
EPSS
0.0090
EPSS Percentile
76.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-502
CWE-20
Status
published
Products (1)
tongzhouyun/agilebpm
< 2.5.0
Published
Jun 05, 2025
Tracked Since
Feb 18, 2026