Apache Ranger: Remote Code Execution Vulnerability in NashornScriptEngineCreator

Vulnerability

Overview

CVE-2025-59059 is a remote code execution (RCE) vulnerability in the NashornScriptEngineCreator component of Apache Ranger, affecting versions up to and including 2.7.0 [1][2][3]. The flaw resides in how the Nashorn JavaScript engine is instantiated and used within Ranger's scripting capabilities. Nashorn, which was deprecated in JDK 15 and removed in later versions, can be abused to execute arbitrary Java code if an attacker can control the script input [3].

Exploitation

Prerequisites

An attacker must be able to supply a malicious script to the NashornScriptEngineCreator, likely through a network-facing interface that accepts user-supplied JavaScript or expressions. No authentication is explicitly mentioned as a barrier, suggesting that unauthenticated or low-privileged users may be able to trigger the vulnerability [3]. The attack surface includes any Ranger service that leverages the Nashorn engine for policy evaluation or dynamic scripting.

Impact

Successful exploitation allows an attacker to execute arbitrary operating system commands or Java code with the privileges of the Ranger process. This could lead to full compromise of the Ranger server, including access to sensitive data managed by Ranger (e.g., Hadoop cluster policies, credentials) and lateral movement within the data infrastructure [2][3].

Mitigation

Apache has released Ranger version 2.8.0, which removes or replaces the vulnerable NashornScriptEngineCreator. Users are strongly advised to upgrade immediately [1][3]. No workarounds have been published, and the vulnerability is considered low severity by the Apache project [3].