CVE-2025-62348 | THREATINT

Description

Salt's junos execution module contained an unsafe YAML decode/load usage. A specially crafted YAML payload processed by the junos module could lead to unintended code execution under the context of the Salt process.

PUBLISHED Reserved 2025-10-10 | Published 2026-01-30 | Updated 2026-01-31 | Assigner vmware

HIGH: 7.8CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

HIGH: 7.3CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-94 Improper Control of Generation of Code ('Code Injection')

Product status

Default status

unaffected

3006.0 (semver) before 3006.17

affected

Default status

unaffected

3007.0 (semver) before 3007.9

affected

Credits

Amr Kadry reporter

References

docs.saltproject.io/en/latest/topics/releases/3006.17.html (Salt 3006.17 release notes (fix for CVE-2025-62348)) release-notes vendor-advisory

cve.org (CVE-2025-62348)

nvd.nist.gov (CVE-2025-62348)

Download JSON