CVE-2025-13426 | THREATINT

Description

A vulnerability exists in Google Apigee's JavaCallout policy https://docs.apigee.com/api-platform/reference/policies/java-callout-policy that allows for remote code execution. It is possible for a user to write a JavaCallout that injected a malicious object into the MessageContext to execute arbitrary Java code and system commands at runtime, leading to unauthorized access to data, lateral movement within the network, and access to backend systems. The Apigee hybrid versions below have all been updated to protect from this vulnerability: * Hybrid_1.11.2+ * Hybrid_1.12.4+ * Hybrid_1.13.3+ * Hybrid_1.14.1+ * OPDK_5202+ * OPDK_5300+

PUBLISHED Reserved 2025-11-19 | Published 2025-12-05 | Updated 2025-12-05 | Assigner GoogleCloud

HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/U:Clear

Problem types

CWE-913 Improper Control of Dynamically-Managed Code Resources

Product status

Default status

unaffected

Any version before Hybrid_1.11.2

affected

Any version before Hybrid_1.12.4

affected

Any version before Hybrid_1.13.3

affected

Any version before Hybrid_1.14.1

affected

Any version before OPDK_5202

affected

Any version before OPDK_5300

affected

Credits

Nikita Markevich finder

References

docs.cloud.google.com/apigee/docs/hybrid/release-notes

cve.org (CVE-2025-13426)

nvd.nist.gov (CVE-2025-13426)

Download JSON