CVE-2025-61982

Vulnerability

Overview

CVE-2025-61982 is an arbitrary code execution vulnerability in OpenCFD OpenFOAM 2506, a popular computational fluid dynamics (CFD) open-source software. The flaw resides in the #codeStream directive functionality within dictionary files (e.g., controlDict, meshDict). These files are part of the simulation input structure and can contain C++ code that is automatically compiled and executed during simulation runtime [1].

Exploitation

Details

An attacker can craft a malicious OpenFOAM simulation file containing a #codeStream directive with arbitrary C++ code, including calls to system functions like system(). The vulnerability. The attack vector is local (AV:L) and requires user interaction (UI:R), meaning the victim must open the malicious file. No authentication is needed (PR:N). The allowSystemOperations option, which can disable this behavior, defaults to true and no warning is presented to users about the risk of running untrusted simulations [1].

Impact

Successful exploitation allows an attacker to execute arbitrary code with the privileges of the user running the simulation, leading to full compromise of confidentiality, integrity, and availability (C:H/I:H/A:H). The CVSS v3.1 score is 7.8 (High) [1).

Mitigation

As of the publication date (2026-02-18), no patch has been announced. Users should set allowSystemOperations false in the OpenFOAM configuration file to disable automatic code generation and execution. However, this is a manual workaround and not a default setting. Users are advised to only run simulation files from trusted sources [1].