Shiyi Blog
CVE-2025-12305
LOW
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was found in quequnlong shiyi-blog up to 1.2.1. This impacts an unknown function of the file src/main/java/com/mojian/controller/SysJobController.java of the component Job Handler. The manipulation results in deserialization. The attack can be executed remotely. The exploit has been made public and could be used.
AnalysisAI
Remote code execution in Shiyi Blog up to version 1.2.1 allows authenticated remote attackers to execute arbitrary code via unsafe deserialization in the Job Handler component (SysJobController.java). The CVSS score of 2.1 reflects required authenticated access and limited scope, but the combination of public exploit availability, demonstrated deserialization flaw, and network accessibility creates moderate operational risk despite the low severity rating.
Technical ContextAI
The vulnerability exists in the Job Handler component within src/main/java/com/mojian/controller/SysJobController.java of the Shiyi Blog application, a Java-based blogging platform. The root cause is classified as CWE-20 (Improper Input Validation), manifesting as unsafe deserialization of untrusted data. Java deserialization vulnerabilities occur when an application deserializes data from an untrusted source without proper validation, allowing attackers to instantiate arbitrary classes and trigger code execution through gadget chains available in the application's classpath. The vulnerability is remotely accessible via the HTTP interface, making it exploitable from the network boundary.
RemediationAI
Immediate action: Upgrade Shiyi Blog to a patched version if available from the vendor at https://github.com/quequnlong/shiyi-blog. If no newer version is available, restrict access to the Job Handler endpoint (/job or similar paths, depending on routing configuration) to trusted administrators only using network-level controls (firewall rules, reverse proxy authentication). Apply input validation and deserialization safeguards: disable automatic deserialization if possible, or implement a whitelist of allowed classes for deserialization. Review authentication policies to ensure only necessary administrators have access to job management features. Monitor application logs for suspicious deserialization errors or job handler invocations. Consider isolating Shiyi Blog instances from the public internet if not required for external access, reducing the attack surface to internal networks where authentication controls are stronger.
More from same product – last 7 days
Local denial of service in Android's PackageInstaller subsystem stems from a logic error in PackageInstallerSession.tran
Remote code execution in Spring for GraphQL versions 1.3.0-1.3.8, 1.4.0-1.4.5, and 2.0.0-2.0.3 allows unauthenticated at
NoSQL/query injection in Spring AI Vector Stores (1.0.0-1.0.8 and 1.1.0-1.1.7) allows remote unauthenticated attackers t
Origin validation failure in Spring Cloud Gateway (WebMVC and WebFlux Server variants) allows remote attackers to spoof
Server-Side Request Forgery in Spring Web Services (versions 3.1.0-3.1.8, 4.0.0-4.0.18, 4.1.0-4.1.3, and 5.0.0-5.0.1) al
Share
External POC / Exploit Code
Leaving vuln.today