CVE-2025-9571
HIGHGoogle Cloud Data Fusion < 6.10.6, < 6.11.1 - Remote Code Execution via Artifact Upload
Title source: llmDescription
A remote code execution (RCE) vulnerability exists in Google Cloud Data Fusion. A user with permissions to upload artifacts to a Data Fusion instance can execute arbitrary code within the core AppFabric component. This could allow the attacker to gain control over the Data Fusion instance, potentially leading to unauthorized access to sensitive data, modification of data pipelines, and exploration of the underlying infrastructure. The following CDAP versions include the necessary update to protect against this vulnerability: * 6.10.6+ * 6.11.1+ Users must immediately upgrade to them, or greater ones, available at: https://github.com/cdapio/cdap-build/releases .
References (1)
Core 1
Core References
Various Sources
https://docs.cloud.google.com/support/bulletins#gcp-2025-076
Scores
CVSS v4
8.7
EPSS
0.0040
EPSS Percentile
31.1%
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/U:Red
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-502
Status
published
Products (2)
Google Cloud/Cloud Data Fusion
< 6.10.6
Google Cloud/Cloud Data Fusion
< 6.11.1
Published
Dec 10, 2025
Tracked Since
Feb 18, 2026