CVE-2025-13426

216.73.217.22

· Published 05/12/2025 22:15 · Modified 08/12/2025 18:26

Labels: CVE-2025-13426 2025-12-05 CVE-2025-13426 CWE-913 f45cbf4e-4146-4068-b7e1-655ffc2c548c

Essential information

Published: 05/12/2025 22:15
Modified: 08/12/2025 18:26
Author: —
Creator: —
CVSS: 8.7 HIGH (v3) 8.7 HIGH (v4.0)
CISA KEV: No
CWE: —
CVSS vector: —

CVSS metrics

Description

A vulnerability exists in Google Apigee's JavaCallout policy https://docs.apigee.com/api-platform/reference/policies/java-callout-policy that allows for remote code execution. It is possible for a user to write a JavaCallout that injected a malicious object into the MessageContext to execute arbitrary Java code and system commands at runtime, leading to unauthorized access to data, lateral movement within the network, and access to backend systems. The Apigee hybrid versions below have all been updated to protect from this vulnerability: * Hybrid_1.11.2+ * Hybrid_1.12.4+ * Hybrid_1.13.3+ * Hybrid_1.14.1+ * OPDK_5202+ * OPDK_5300+

NVD status

Status: Awaiting Analysis — CVE has been marked for Analysis. Normally once in this state the CVE will be analyzed by NVD staff within 24 hours.
Source: f45cbf4e-4146-4068-b7e1-655ffc2c548c
NVD: View on NVD

CVE-2025-13426

Essential information

CVSS metrics

Description

NVD status

References