← Back

CVE-2025-63690

nvd nist
Published: Nov 7, 2025Modified: Dec 8, 2025

JSON object

Loading...
9.1
Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Exploitability: 2.3 / Impact: 6.0
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

In pig-mesh Pig versions 3.8.2 and below, when setting up scheduled tasks in the Quartz management function under the system management module, it is possible to execute any Java class with a parameterless constructor and its methods with parameter type String through reflection. At this time, the eval method in Tomcat's built-in class jakarta.el.ELProcessor can be used to execute commands, leading to a remote code execution vulnerability.

Affected (1)

Products: Pig4cloud: Pig
Pig4cloud
1 product
Pig
Configuration A
1 vulnerable
Vulnerable SoftwareAffected Versions
Pig
Up to 3.8.2

Related CWEs

CWE-470
Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
The product uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code.

References (2)

Source: cve@mitre.org
ExploitThird Party Advisory
Source: cve@mitre.org
Broken Link

Timeline

No history available yet.