CVE-2025-62193
- Source
- https://cve.org/CVERecord?id=CVE-2025-62193
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-62193.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-62193
- Published
- 2026-01-15T17:16:04.347Z
- Modified
- 2026-03-15T22:51:46.917710Z
- Severity
-
- 9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVSS Calculator
- Summary
- [none]
- Details
-
Sites running NOAA PMEL Live Access Server (LAS) are vulnerable to remote code execution via specially crafted requests that include PyFerret expressions. By leveraging a SPAWN command, a remote, unauthenticated attacker can execute arbitrary OS commands. Fixed in a version of 'gov.noaa.pmel.tmap.las.filter.RequestInputFilter.java' from 2025-09-24.
- References
-
- https://github.com/NOAA-PMEL/LAS/blob/main/README.md
- https://github.com/NOAA-PMEL/LAS/compare/b4b7306..de5f923
- https://github.com/NOAA-PMEL/LAS/tree/main
- https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-26-015-01.json
- https://www.cve.org/CVERecord?id=CVE-2025-62193
- https://github.com/NOAA-PMEL/LAS/commit/de5f9237bfd4ac5085bcc49a6e30bbc9507ddb29
- https://github.com/NOAA-PMEL/LAS/commit/e69afb1898ae7e69f3e047513fc1e5570373912b
Affected packages
Git / github.com/noaa-pmel/las
Affected ranges
- Type
- GIT
- Repo
- https://github.com/noaa-pmel/las
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
- Type
- GIT
- Repo
- https://github.com/noaa-pmel/las
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
v8.*
v8.5
v8.6
v8.6.1
v8.6.10
v8.6.11
v8.6.12
v8.6.12a
v8.6.13
v8.6.14
v8.6.15
v8.6.16
v8.6.17
v8.6.18
v8.6.19
v8.6.20
v8.6.3
v8.6.7
v8.6.8
v8.6.9
Database specific
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-62193.json"
vanir_signatures
[
{
"signature_type": "Function",
"source": "https://github.com/noaa-pmel/las/commit/e69afb1898ae7e69f3e047513fc1e5570373912b",
"id": "CVE-2025-62193-3935a9d6",
"deprecated": false,
"target": {
"function": "doFilter",
"file": "JavaSource/gov/noaa/pmel/tmap/las/filter/RequestInputFilter.java"
},
"signature_version": "v1",
"digest": {
"length": 4087.0,
"function_hash": "264110938858644081626382572019043999149"
}
},
{
"signature_type": "Line",
"source": "https://github.com/noaa-pmel/las/commit/e69afb1898ae7e69f3e047513fc1e5570373912b",
"id": "CVE-2025-62193-e3279f0f",
"deprecated": false,
"target": {
"file": "JavaSource/gov/noaa/pmel/tmap/las/filter/RequestInputFilter.java"
},
"signature_version": "v1",
"digest": {
"line_hashes": [
"126588383116845988257679067461954675817",
"154712059936506012146224492420687922825",
"311868067122082723401555757768005117980",
"121054533333909547447367334020681889490"
],
"threshold": 0.9
}
}
]