CVE-2025-2622 – com.aizuda:snail-job

Package

Manager: maven
Name: com.aizuda:snail-job
Vulnerable Version: =1.4.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

EPSS: 0.00083 pctl0.25085

Details

aizuda snail-job Vulnerable to Deserialization via `nodeExpression` Argument A vulnerability was found in aizuda snail-job 1.4.0. It has been classified as critical. Affected is the function getRuntime of the file /snail-job/workflow/check-node-expression of the component Workflow-Task Management Module. The manipulation of the argument nodeExpression leads to deserialization. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

Metadata

Created: 2025-03-22T18:30:25Z
Modified: 2025-03-24T19:57:56Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-4m5h-5v4q-4xgq/GHSA-4m5h-5v4q-4xgq.json
CWE IDs: ["CWE-20", "CWE-502"]
Alternative ID: GHSA-4m5h-5v4q-4xgq
Finding: F096
Auto approve: 1