GHSA-3f8c-8h8v-p54h
Suggest an improvement- Source
- https://github.com/advisories/GHSA-3f8c-8h8v-p54h
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-3f8c-8h8v-p54h/GHSA-3f8c-8h8v-p54h.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-3f8c-8h8v-p54h
- Aliases
-
- CVE-2025-14674
- Published
- 2025-12-14T18:31:30Z
- Modified
- 2025-12-16T01:11:16.212860Z
- Severity
-
- 6.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L CVSS Calculator
- 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- snail-job is vulnerable to Code Injection through QLExpressEngine.doEval function
- Details
-
A vulnerability was found in aizuda snail-job up to 1.6.0. Affected by this vulnerability is the function QLExpressEngine.doEval of the file snail-job-common/snail-job-common-core/src/main/java/com/aizuda/snailjob/common/core/expression/strategy/QLExpressEngine.java. The manipulation results in injection. The attack can be launched remotely. Upgrading to version 1.7.0-beta1 addresses this issue. The patch is identified as 978f316c38b3d68bb74d2489b5e5f721f6675e86. The affected component should be upgraded.
- Database specific
{ "github_reviewed": true, "cwe_ids": [ "CWE-74" ], "nvd_published_at": "2025-12-14T18:15:43Z", "github_reviewed_at": "2025-12-16T00:45:18Z", "severity": "MODERATE" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2025-14674
- https://gitee.com/aizuda/snail-job/commit/978f316c38b3d68bb74d2489b5e5f721f6675e86
- https://gitee.com/aizuda/snail-job/issues/ICNUG0
- https://gitee.com/aizuda/snail-job/issues/ICNUG0#note_44321424_link
- https://gitee.com/aizuda/snail-job/releases/tag/vsj1.7.0-beta1
- https://github.com/aizuda/snail-job
- https://vuldb.com/?ctiid.336403
- https://vuldb.com/?id.336403
Affected packages
Maven / com.aizuda:snail-job
Package
- Name
- com.aizuda:snail-job
- View open source insights on deps.dev
- Purl
- pkg:maven/com.aizuda/snail-job
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.7.0-beta1
Affected versions
1.*
1.0.0-beta1
1.0.0-beta2
1.0.0-beta2.1
1.0.0-beta3
1.0.0
1.0.0-solon
1.0.1
1.1.0-beta1
1.1.0-beta2
1.1.0
1.1.0-jdk8-beta1
1.1.1
1.1.2
1.2.0-beta1
1.2.0-beta1.1
1.2.0-beta2
1.2.0
1.2.0-jdk8-beta1
1.2.0-jdk8-beta2.1
1.2.0-jdk8
1.3.0-beta1
1.3.0-beta1-jdk8
1.3.0-beta1.1
1.3.0-beta1.1-jdk8
1.3.0-beta1.2-jdk8
1.3.0-beta2
1.3.0
1.3.0-jdk8
1.4.0-beta1
1.4.0-beta1-jdk8
1.4.0-beta2
1.4.0
1.4.0-jdk8
1.5.0-beta1
1.5.0-beta1-jdk8
1.5.0
1.5.0-jdk8
1.6.0-beta1
1.6.0-beta1-jdk8
1.6.0
1.6.0-jdk8