CVE-2025-59302

Summary

In Apache CloudStack improper control of generation of code ('Code Injection') vulnerability is found in the following APIs which are accessible only to admins.

  • quotaTariffCreate
  • quotaTariffUpdate
  • createSecondaryStorageSelector
  • updateSecondaryStorageSelector
  • updateHost
  • updateStorage

This issue affects Apache CloudStack: from 4.18.0 before 4.20.2, from 4.21.0 before 4.22.0. Users are recommended to upgrade to versions 4.20.2 or 4.22.0, which contain the fix.

The fix introduces a new global configuration flag, js.interpretation.enabled, allowing administrators to control the interpretation of JavaScript expressions in these APIs, thereby mitigating the code injection risk.

Affected Software

VendorProductVersion RangeStatus
Apache Software FoundationApache CloudStack4.18.0 < 4.20.2affected
Apache Software FoundationApache CloudStack4.21.0 < 4.22.0affected

Weaknesses

  • CWE-94: CWE-94 Improper Control of Generation of Code ('Code Injection')

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References