logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2025-58059 com.ritense.valtimo:core

Package

Manager: maven
Name: com.ritense.valtimo:core
Vulnerable Version: >=0 <12.16.0.release || >=13.0.0.release <13.1.2.release

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00057 pctl0.1793

Details

Valtimo scripting engine can be used to gain access to sensitive data or resources ### Impact Any admin that can create or modify and execute process-definitions could gain access to sensitive data or resources. This includes but is not limited to: - Running executables on the application host - Inspecting and extracting data from the host environment or application properties - Spring beans (application context, database pooling) ### Attack requirements The following conditions have to be met in order to perform this attack: - The user must be logged in - The user must have the admin role (ROLE_ADMIN), which is required to change process definitions - The user must have some knowledge about running scripts via a the Camunda/Operator engine ### Patches Version 12.16.0 and 13.1.2 have been patched. It is strongly advised to upgrade. ### Workarounds If no scripting is needed in any of the processes, it could be possible to disable it altogether via the `ProcessEngineConfiguration`: ``` @Component class NoScriptEnginePlugin : ProcessEnginePlugin { override fun preInit(processEngineConfiguration: ProcessEngineConfigurationImpl) {} override fun postInit(processEngineConfiguration: ProcessEngineConfigurationImpl) { processEngineConfiguration.scriptEngineResolver = null } override fun postProcessEngineBuild(processEngine: ProcessEngine) {} } ``` Warning: this workaround could lead to unexpected side-effects. Please test thoroughly. ### References - Valtimo 12 and lower: [Camunda Scripting](https://docs.camunda.org/manual/latest/user-guide/process-engine/scripting/#custom-scriptengineresolver) - Valtimo 13 and higher: [Operaton Scripting](https://docs.operaton.org/docs/documentation/user-guide/process-engine/scripting)

Metadata

Created: 2025-08-28T16:46:10Z
Modified: 2025-08-28T18:52:30Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-w48j-pp7j-fj55/GHSA-w48j-pp7j-fj55.json
CWE IDs: ["CWE-200", "CWE-78"]
Alternative ID: GHSA-w48j-pp7j-fj55
Finding: F404
Auto approve: 1