CVE-2025-59302

MEDIUM

Apache Cloudstack < 4.20.2.0 - Code Injection

Title source: rule

Description

In Apache CloudStack improper control of generation of code ('Code Injection') vulnerability is found in the following APIs which are accessible only to admins. * quotaTariffCreate * quotaTariffUpdate * createSecondaryStorageSelector * updateSecondaryStorageSelector * updateHost * updateStorage This issue affects Apache CloudStack: from 4.18.0 before 4.20.2, from 4.21.0 before 4.22.0. Users are recommended to upgrade to versions 4.20.2 or 4.22.0, which contain the fix. The fix introduces a new global configuration flag, js.interpretation.enabled, allowing administrators to control the interpretation of JavaScript expressions in these APIs, thereby mitigating the code injection risk.

References (2)

[Mailing List, Vendor Advisory] https://lists.apache.org/thread/kwwsg2j85f1b75o0ht5zbr34d7h66788

[Mailing List, Third Party Advisory] http://www.openwall.com/lists/oss-security/2025/11/27/2

Scores

CVSS v3 4.7

EPSS 0.0009

EPSS Percentile 25.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

Classification

CWE

CWE-94

Status published

Affected Products (2)

apache/cloudstack < 4.20.2.0

apache/cloudstack

Timeline

Published Nov 27, 2025

Tracked Since Feb 18, 2026