Home

Description

EN DE

A vulnerability was found in aizuda snail-job 1.4.0. It has been classified as critical. Affected is the function getRuntime of the file /snail-job/workflow/check-node-expression of the component Workflow-Task Management Module. The manipulation of the argument nodeExpression leads to deserialization. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

Es wurde eine kritische Schwachstelle in aizuda snail-job 1.4.0 ausgemacht. Betroffen hiervon ist die Funktion getRuntime der Datei /snail-job/workflow/check-node-expression der Komponente Workflow-Task Management Module. Mittels dem Manipulieren des Arguments nodeExpression mit unbekannten Daten kann eine deserialization-Schwachstelle ausgenutzt werden. Umgesetzt werden kann der Angriff über das Netzwerk. Der Exploit steht zur öffentlichen Verfügung.

PUBLISHED Reserved 2025-03-21 | Published 2025-03-22 | Updated 2025-03-24 | Assigner VulDB




MEDIUM: 5.3CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
MEDIUM: 6.3CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
MEDIUM: 6.3CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
6.5AV:N/AC:L/Au:S/C:P/I:P/A:P

Problem types

Deserialization

Improper Input Validation

Product status

1.4.0
affected

Timeline

2025-03-21:Advisory disclosed
2025-03-21:VulDB entry created
2025-03-21:VulDB entry last update

Credits

startr4ck (VulDB User) reporter

References

gitee.com/aizuda/snail-job/issues/IBSQ24 exploit

vuldb.com/?id.300624 (VDB-300624 | aizuda snail-job Workflow-Task Management Module check-node-expression getRuntime deserialization) vdb-entry technical-description

vuldb.com/?ctiid.300624 (VDB-300624 | CTI Indicators (IOB, IOC, IOA)) signature permissions-required

vuldb.com/?submit.518999 (Submit #518999 | gitee/github snail-job 1.4.0 Command Injection) third-party-advisory

gitee.com/aizuda/snail-job/issues/IBSQ24 exploit issue-tracking

gitee.com/aizuda/snail-job/issues/IBSQ24 issue-tracking

cve.org (CVE-2025-2622)

nvd.nist.gov (CVE-2025-2622)

Download JSON