PT-2025-50308 · Google · Google Cloud Data Fusion
Tomas Lažauninkas
·
Published
2025-12-10
·
Updated
2025-12-10
·
CVE-2025-9571
CVSS v4.0
8.7
High
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Red |
Name of the Vulnerable Software and Affected Versions
Google Cloud Data Fusion versions prior to 6.10.6
Google Cloud Data Fusion versions prior to 6.11.1
Description
A remote code execution (RCE) issue exists in Google Cloud Data Fusion. An attacker with the ability to upload artifacts to a Data Fusion instance can execute arbitrary code within the core AppFabric component. Successful exploitation could grant the attacker control over the Data Fusion instance, potentially leading to unauthorized data access, modification of data pipelines, and infrastructure exploration.
Recommendations
Upgrade to Google Cloud Data Fusion version 6.10.6 or later.
Upgrade to Google Cloud Data Fusion version 6.11.1 or later.
Fix
RCE
Deserialization of Untrusted Data
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Google Cloud Data Fusion