CVE-2022-25894

Background

CVE-2022-25894 affects all versions of the com.bstek.uflo:uflo-core package. The vulnerability resides in the ExpressionContextImpl class, specifically in the method that calls jexl.createExpression(expression).evaluate(context). This code path passes user-controllable input directly to the Apache JEXL (Java Expression Language) evaluator without any sanitization or validation [1][3].

Exploitation

An attacker who can influence the expression parameter passed to the vulnerable method can inject arbitrary JEXL expressions. Because JEXL supports calling Java methods and accessing the runtime environment, a crafted expression can execute system commands or load arbitrary classes. The attack does not require authentication if the vulnerable endpoint is exposed to untrusted users [2][3].

Impact

Successful exploitation allows arbitrary remote code execution (RCE) in the context of the application server. The attacker can execute operating system commands, read or modify sensitive data, and potentially move laterally within the network. The full impact depends on the privileges of the running process [3].

Mitigation

As of the publication date, there is no patched version of the uflo-core package available [3]. Users are advised to restrict access to any interface that may pass user input to the JEXL expression evaluator, implement strict input validation (e.g., allowlisting of allowed expressions), or consider migrating to an alternative workflow engine if the component is critical [1][3].