Critical severity9.8NVD Advisory· Published Jun 30, 2025· Updated Apr 15, 2026
CVE-2025-26074
CVE-2025-26074
Description
Orkes Conductor v3.21.11 allows remote attackers to execute arbitrary OS commands through unrestricted access to Java classes.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.conductoross:conductor-coreMaven | < 3.21.13 | 3.21.13 |
Patches
1e9816501df1eAdd --no-java flag for Nashorn runtime (#429)
4 files changed · +13 −14
conductor-clients/java/conductor-java-sdk/build.gradle+1 −0 modified@@ -35,6 +35,7 @@ subprojects { implementation "com.fasterxml.jackson.datatype:jackson-datatype-jsr310:${versions.jackson}" implementation "com.fasterxml.jackson.module:jackson-module-kotlin:${versions.jackson}" implementation "com.fasterxml.jackson.module:jackson-module-afterburner:${versions.jackson}" + implementation "org.openjdk.nashorn:nashorn-core:15.4" implementation "org.slf4j:slf4j-api:${versions.slf4j}" implementation "org.apache.commons:commons-lang3:${versions.commonsLang}"
conductor-clients/java/conductor-java-sdk/sdk/src/main/java/com/netflix/conductor/sdk/workflow/def/tasks/Javascript.java+3 −3 modified@@ -19,9 +19,9 @@ import javax.script.Bindings; import javax.script.ScriptEngine; -import javax.script.ScriptEngineManager; import javax.script.ScriptException; +import org.openjdk.nashorn.api.scripting.NashornScriptEngineFactory; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -100,7 +100,7 @@ public String getExpression() { * @return */ public Javascript validate() { - ScriptEngine scriptEngine = new ScriptEngineManager().getEngineByName(ENGINE); + ScriptEngine scriptEngine = new NashornScriptEngineFactory().getScriptEngine("--no-java"); if (scriptEngine == null) { LOGGER.error("missing " + ENGINE + " engine. Ensure you are running supported JVM"); return this; @@ -128,7 +128,7 @@ public Javascript validate() { */ public Object test(Map<String, Object> input) { - ScriptEngine scriptEngine = new ScriptEngineManager().getEngineByName(ENGINE); + ScriptEngine scriptEngine = new NashornScriptEngineFactory().getScriptEngine("--no-java"); if (scriptEngine == null) { LOGGER.error("missing " + ENGINE + " engine. Ensure you are running supported JVM"); return this;
core/src/main/java/com/netflix/conductor/core/events/ScriptEvaluator.java+3 −4 modified@@ -14,7 +14,6 @@ import javax.script.Bindings; import javax.script.ScriptEngine; -import javax.script.ScriptEngineManager; import javax.script.ScriptException; import org.openjdk.nashorn.api.scripting.NashornScriptEngineFactory; @@ -61,11 +60,11 @@ public static String getEnv(String name) { public static void initEngine(boolean reInit) { if (engine == null || reInit) { + NashornScriptEngineFactory factory = new NashornScriptEngineFactory(); if ("true".equalsIgnoreCase(getEnv("CONDUCTOR_NASHORN_ES6_ENABLED"))) { - NashornScriptEngineFactory factory = new NashornScriptEngineFactory(); - engine = factory.getScriptEngine("--language=es6"); + engine = factory.getScriptEngine("--language=es6", "--no-java"); } else { - engine = new ScriptEngineManager().getEngineByName("Nashorn"); + engine = factory.getScriptEngine("--no-java"); } } if (engine == null) {
java-sdk/src/main/java/com/netflix/conductor/sdk/workflow/def/tasks/Javascript.java+6 −7 modified@@ -19,7 +19,6 @@ import javax.script.Bindings; import javax.script.ScriptEngine; -import javax.script.ScriptEngineManager; import javax.script.ScriptException; import org.openjdk.nashorn.api.scripting.NashornScriptEngineFactory; @@ -103,11 +102,11 @@ public String getExpression() { */ public Javascript validate() { ScriptEngine scriptEngine; + NashornScriptEngineFactory factory = new NashornScriptEngineFactory(); if ("true".equalsIgnoreCase(System.getenv("CONDUCTOR_NASHORN_ES6_ENABLED"))) { - NashornScriptEngineFactory factory = new NashornScriptEngineFactory(); - scriptEngine = factory.getScriptEngine("--language=es6"); + scriptEngine = factory.getScriptEngine("--language=es6", "--no-java"); } else { - scriptEngine = new ScriptEngineManager().getEngineByName("Nashorn"); + scriptEngine = factory.getScriptEngine("--no-java"); } if (scriptEngine == null) { LOGGER.error("missing " + ENGINE + " engine. Ensure you are running supported JVM"); @@ -137,11 +136,11 @@ public Javascript validate() { public Object test(Map<String, Object> input) { ScriptEngine scriptEngine; + NashornScriptEngineFactory factory = new NashornScriptEngineFactory(); if ("true".equalsIgnoreCase(System.getenv("CONDUCTOR_NASHORN_ES6_ENABLED"))) { - NashornScriptEngineFactory factory = new NashornScriptEngineFactory(); - scriptEngine = factory.getScriptEngine("--language=es6"); + scriptEngine = factory.getScriptEngine("--language=es6", "--no-java"); } else { - scriptEngine = new ScriptEngineManager().getEngineByName("Nashorn"); + scriptEngine = factory.getScriptEngine("--no-java"); } if (scriptEngine == null) { LOGGER.error("missing " + ENGINE + " engine. Ensure you are running supported JVM");
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-8gqp-hr9g-pg62ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-26074ghsaADVISORY
- github.com/conductor-oss/conductor/blob/main/core/src/main/java/com/netflix/conductor/core/events/ScriptEvaluator.javanvdWEB
- github.com/conductor-oss/conductor/commit/e9816501df1e364a3d39d7fe37d6e167c40eaa1bghsaWEB
- medium.com/@mrcnry/cve-2025-26074-remote-code-execution-in-conductor-oss-via-inline-javascript-injection-5ce3cb651cfbnvdWEB
News mentions
0No linked articles in our index yet.