CVE-2025-5679

Name of the Vulnerable Software and Affected Versions Shenzhen Dashi Tongzhou Information Technology AgileBPM versions up to 2.5.0

Description A critical issue has been discovered, affecting the parseStrByFreeMarker function in the file /src/main/java/com/dstz/sys/rest/controller/SysToolsController.java. The manipulation of the str argument leads to deserialization, allowing for a remote attack. The exploit has been publicly disclosed.

Recommendations For versions up to 2.5.0, consider disabling the parseStrByFreeMarker function as a temporary workaround until a patch is available. Restrict access to the SysToolsController.java file to minimize the risk of exploitation. Avoid using the str argument in the affected function until the issue is resolved.