PT-2025-45450 · Apache+2 · Jakarta.El.Elprocessor+3
Published
2025-11-07
·
Updated
2025-11-12
·
CVE-2025-63690
CVSS v3.1
9.1
Critical
| Vector | AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
pig-mesh versions 3.8.2 and below
Description
The software contains a flaw that allows for remote code execution. Specifically, when configuring scheduled tasks within the Quartz management function, located in the system management module, it’s possible to execute arbitrary Java classes possessing a parameterless constructor and methods accepting a String parameter through reflection. This can be leveraged to execute commands using the
eval method within Tomcat’s jakarta.el.ELProcessor class. The vulnerability arises from the ability to execute any Java class with a parameterless constructor and its methods with a String type parameter through reflection.Recommendations
Versions prior to 3.8.2 should be updated.
Exploit
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Quartz
Apache Tomcat
Jakarta.El.Elprocessor
Pig-Mesh