Sites running NOAA PMEL Live Access Server (LAS) are vulnerable to remote code execution via specially crafted requests that include PyFerret expressions. By leveraging a SPAWN command, a remote, unauthenticated attacker can execute arbitrary OS commands. Fixed in a version of 'gov.noaa.pmel.tmap.las.filter.RequestInputFilter.java' from 2025-09-24.
{
"unresolved_ranges": [
{
"source": "AFFECTED_FIELD",
"extracted_events": [
{
"introduced": "8"
},
{
"last_affected": "8"
}
]
}
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/62xxx/CVE-2025-62193.json",
"cna_assigner": "cisa-cg",
"cwe_ids": [
"CWE-78"
]
}"2026-07-09T19:10:20Z"
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-62193.json"
[
{
"id": "CVE-2025-62193-3935a9d6",
"digest": {
"function_hash": "264110938858644081626382572019043999149",
"length": 4087.0
},
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/noaa-pmel/las/commit/e69afb1898ae7e69f3e047513fc1e5570373912b",
"deprecated": false,
"target": {
"function": "doFilter",
"file": "JavaSource/gov/noaa/pmel/tmap/las/filter/RequestInputFilter.java"
}
},
{
"id": "CVE-2025-62193-e3279f0f",
"digest": {
"line_hashes": [
"126588383116845988257679067461954675817",
"154712059936506012146224492420687922825",
"311868067122082723401555757768005117980",
"121054533333909547447367334020681889490"
],
"threshold": 0.9
},
"signature_version": "v1",
"signature_type": "Line",
"source": "https://github.com/noaa-pmel/las/commit/e69afb1898ae7e69f3e047513fc1e5570373912b",
"deprecated": false,
"target": {
"file": "JavaSource/gov/noaa/pmel/tmap/las/filter/RequestInputFilter.java"
}
}
]