VYPR
Unrated severityNVD Advisory· Published Nov 27, 2025· Updated Feb 26, 2026

Apache CloudStack: Potential remote code execution on Javascript engine defined rules

CVE-2025-59302

Description

In Apache CloudStack improper control of generation of code ('Code Injection') vulnerability is found in the following APIs which are accessible only to admins.

  • quotaTariffCreate
  • quotaTariffUpdate
  • createSecondaryStorageSelector
  • updateSecondaryStorageSelector
  • updateHost
  • updateStorage

This issue affects Apache CloudStack: from 4.18.0 before 4.20.2, from 4.21.0 before 4.22.0. Users are recommended to upgrade to versions 4.20.2 or 4.22.0, which contain the fix.

The fix introduces a new global configuration flag, js.interpretation.enabled, allowing administrators to control the interpretation of JavaScript expressions in these APIs, thereby mitigating the code injection risk.

Affected products

2
  • Apache/Cloudstackllm-fuzzy2 versions
    >=4.18.0 <4.20.2, >=4.21.0 <4.22.0+ 1 more
    • (no CPE)range: >=4.18.0 <4.20.2, >=4.21.0 <4.22.0
    • (no CPE)range: 4.18.0

Patches

Vulnerability mechanics

References

1

News mentions

0

No linked articles in our index yet.