CVE-2025-59302

Name of the Vulnerable Software and Affected Versions Apache CloudStack versions 4.18.0 through 4.20.1 Apache CloudStack versions 4.21.0 through 4.21.9

Description An improper control of code generation ('Code Injection') issue exists in Apache CloudStack, specifically within several APIs accessible only to administrators. These APIs include quotaTariffCreate, quotaTariffUpdate, createSecondaryStorageSelector, updateSecondaryStorageSelector, updateHost, and updateHost. The issue allows for potential code injection due to insufficient control over code generation. A new global configuration flag, js.interpretation.enabled, has been introduced to control JavaScript expression interpretation in these APIs, mitigating the risk.

Recommendations Upgrade to Apache CloudStack version 4.20.2 or later. Upgrade to Apache CloudStack version 4.22.0 or later.