CVE-2025-11165

Source
https://cve.org/CVERecord?id=CVE-2025-11165
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-11165.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-11165
Published
2026-02-24T09:16:12.310Z
Modified
2026-04-10T05:20:36.626159Z
Severity
  • 9.9 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

A sandbox escape vulnerability exists in dotCMS’s Velocity scripting engine (VTools) that allows authenticated users with scripting privileges to bypass class and package restrictions enforced by SecureUberspectorImpl.

By dynamically modifying the Velocity engine’s runtime configuration and reinitializing its Uberspect, a malicious actor can remove the introspector.restrict.classes and introspector.restrict.packages protections.

Once these restrictions are cleared, the attacker can access arbitrary Java classes, including java.lang.Runtime, and execute arbitrary system commands under the privileges of the application process (e.g. dotCMS or Tomcat user).

References

Affected packages

Git / github.com/dotcms/core

Affected ranges

Type
GIT
Repo
https://github.com/dotcms/core
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Introduced
Fixed
Database specific
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "24.12.27"
        },
        {
            "introduced": "25.01.07"
        },
        {
            "fixed": "25.07.10"
        }
    ]
}

Affected versions

22.*
22.10.1
3.*
3.0
3.5
3.5_Preview01
3.5_Preview02
3.6.0
pre-release.*
pre-release.07.13.23
pre3.*
pre3.5buildrevert
Other
release_candidate
v23.*
v23.09-pre
v24.*
v24.03.22
v25.*
v25.07.10-1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-11165.json"