Home

Description

An improper neutralization of inputs used in expression language allows remote code execution with the highest privileges on the server.

PUBLISHED Reserved 2025-04-05 | Published 2025-06-06 | Updated 2025-06-06 | Assigner B.Braun




CRITICAL: 10.0CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Problem types

CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

Product status

Default status
unaffected

3.0 (custom)
affected

Credits

Fabian Weber (CODE WHITE GmbH) reporter

Dr. Florian Hauser (CODE WHITE GmbH) reporter

References

www.bbraun.com/productsecurity

cve.org (CVE-2025-3322)

nvd.nist.gov (CVE-2025-3322)

Download JSON