CVE-2025-59302

Source
https://cve.org/CVERecord?id=CVE-2025-59302
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-59302.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-59302
Published
2025-11-27T11:46:25.521Z
Modified
2026-07-15T02:15:58.116703689Z
Severity
  • 4.7 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L CVSS Calculator
Summary
Apache CloudStack: Potential remote code execution on Javascript engine defined rules
Details

In Apache CloudStack improper control of generation of code ('Code Injection') vulnerability is found in the following APIs which are accessible only to admins.

  • quotaTariffCreate
  • quotaTariffUpdate
  • createSecondaryStorageSelector
  • updateSecondaryStorageSelector
  • updateHost
  • updateStorage

This issue affects Apache CloudStack: from 4.18.0 before 4.20.2, from 4.21.0 before 4.22.0. Users are recommended to upgrade to versions 4.20.2 or 4.22.0, which contain the fix.

The fix introduces a new global configuration flag, js.interpretation.enabled, allowing administrators to control the interpretation of JavaScript expressions in these APIs, thereby mitigating the code injection risk.

Database specific
{
    "cwe_ids": [
        "CWE-94"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/59xxx/CVE-2025-59302.json",
    "unresolved_ranges": [
        {
            "extracted_events": [
                {
                    "introduced": "4.18.0"
                },
                {
                    "fixed": "4.20.2"
                },
                {
                    "introduced": "4.21.0"
                },
                {
                    "fixed": "4.22.0"
                }
            ],
            "source": "AFFECTED_FIELD"
        },
        {
            "extracted_events": [
                {
                    "introduced": "4.18.0"
                },
                {
                    "fixed": "4.20.2"
                },
                {
                    "introduced": "4.21.0"
                },
                {
                    "fixed": "4.22.0"
                }
            ],
            "source": "DESCRIPTION"
        }
    ],
    "cna_assigner": "apache"
}
References

Affected packages

Git / github.com/apache/cloudstack

Affected ranges

Type
GIT
Repo
https://github.com/apache/cloudstack
Events
Database specific
{
    "cpe": [
        "cpe:2.3:a:apache:cloudstack:*:*:*:*:*:*:*:*",
        "cpe:2.3:a:apache:cloudstack:4.21.0.0:*:*:*:*:*:*:*"
    ],
    "extracted_events": [
        {
            "introduced": "4.18.0.0"
        },
        {
            "fixed": "4.20.2.0"
        },
        {
            "introduced": "4.21.0.0"
        },
        {
            "last_affected": "4.21.0.0"
        }
    ],
    "source": [
        "CPE_RANGE",
        "CPE_STRING"
    ]
}

Affected versions

4.*
4.18.0.0
4.20.0.0
4.20.1.0
4.21.0.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-59302.json"