CVE-2025-62193

Source
https://cve.org/CVERecord?id=CVE-2025-62193
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-62193.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-62193
Published
2026-01-15T16:44:15.708Z
Modified
2026-07-09T19:10:20.089888Z
Severity
  • 9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
NOAA PMEL Live Access Server (LAS) PyFerret command injection
Details

Sites running NOAA PMEL Live Access Server (LAS) are vulnerable to remote code execution via specially crafted requests that include PyFerret expressions. By leveraging a SPAWN command, a remote, unauthenticated attacker can execute arbitrary OS commands. Fixed in a version of 'gov.noaa.pmel.tmap.las.filter.RequestInputFilter.java' from 2025-09-24.

Database specific
{
    "unresolved_ranges": [
        {
            "source": "AFFECTED_FIELD",
            "extracted_events": [
                {
                    "introduced": "8"
                },
                {
                    "last_affected": "8"
                }
            ]
        }
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/62xxx/CVE-2025-62193.json",
    "cna_assigner": "cisa-cg",
    "cwe_ids": [
        "CWE-78"
    ]
}
References

Affected packages

Git / github.com/noaa-pmel/las

Affected ranges

Type
GIT
Repo
https://github.com/noaa-pmel/las
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "source": "REFERENCES"
}

Affected versions

v8.*
v8.5
v8.6
v8.6.1
v8.6.11
v8.6.12
v8.6.12a
v8.6.19
v8.6.20
v8.6.3
v8.6.7

Database specific

vanir_signatures_modified
"2026-07-09T19:10:20Z"
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-62193.json"
vanir_signatures
[
    {
        "id": "CVE-2025-62193-3935a9d6",
        "digest": {
            "function_hash": "264110938858644081626382572019043999149",
            "length": 4087.0
        },
        "signature_version": "v1",
        "signature_type": "Function",
        "source": "https://github.com/noaa-pmel/las/commit/e69afb1898ae7e69f3e047513fc1e5570373912b",
        "deprecated": false,
        "target": {
            "function": "doFilter",
            "file": "JavaSource/gov/noaa/pmel/tmap/las/filter/RequestInputFilter.java"
        }
    },
    {
        "id": "CVE-2025-62193-e3279f0f",
        "digest": {
            "line_hashes": [
                "126588383116845988257679067461954675817",
                "154712059936506012146224492420687922825",
                "311868067122082723401555757768005117980",
                "121054533333909547447367334020681889490"
            ],
            "threshold": 0.9
        },
        "signature_version": "v1",
        "signature_type": "Line",
        "source": "https://github.com/noaa-pmel/las/commit/e69afb1898ae7e69f3e047513fc1e5570373912b",
        "deprecated": false,
        "target": {
            "file": "JavaSource/gov/noaa/pmel/tmap/las/filter/RequestInputFilter.java"
        }
    }
]