PowerJob
CVE-2025-14518
LOW
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1Blast Radius
ecosystem impact- 11 maven packages depend on tech.powerjob:powerjob-common (3 direct, 8 indirect)
Ecosystem-wide dependent count for version 5.1.2.
DescriptionCVE.org
A vulnerability was identified in PowerJob up to 5.1.2. This vulnerability affects the function checkConnectivity of the file src/main/java/tech/powerjob/common/utils/net/PingPongUtils.java of the component Network Request Handler. The manipulation of the argument targetIp/targetPort leads to server-side request forgery. Remote exploitation of the attack is possible. The exploit is publicly available and might be used.
AnalysisAI
Server-side request forgery in PowerJob up to version 5.1.2 allows authenticated remote attackers to manipulate the targetIp and targetPort arguments in the checkConnectivity function of the Network Request Handler component, enabling SSRF attacks with low confidentiality, integrity, and availability impact. Publicly available exploit code exists; however, the EPSS score of 0.03% indicates minimal real-world exploitation probability despite the public exploit availability, suggesting this vulnerability has seen limited active abuse.
Technical ContextAI
PowerJob's Network Request Handler component in src/main/java/tech/powerjob/common/utils/net/PingPongUtils.java contains a checkConnectivity function that accepts user-controlled targetIp and targetPort parameters without proper validation. This is a classic Server-Side Request Forgery (CWE-918) vulnerability where an authenticated user can manipulate these parameters to force the server to make HTTP or network requests to unintended destinations, potentially internal services, metadata endpoints, or external systems. The vulnerability exists in the Java-based PowerJob distributed task scheduling platform, which is commonly deployed in containerized environments and microservices architectures where SSRF can be weaponized to access metadata services or internal APIs.
RemediationAI
Upgrade PowerJob to the first patched version released after 5.1.2 by checking the official PowerJob GitHub repository (https://github.com/PowerJob/PowerJob/) releases page for version 5.1.3 or later that addresses issue #1144. If immediate upgrade is not possible, implement input validation and allowlisting for the targetIp and targetPort parameters in the checkConnectivity function to restrict requests to known safe internal services only, though this requires source code modification and is not a substitute for patching. Additionally, restrict network-level access to the PowerJob application to trusted users and internal networks only, ensuring that authenticated users are vetted and their access is monitored. Disable or restrict the checkConnectivity endpoint if it is not actively required for operational functionality, as this eliminates the attack surface entirely at the cost of losing that feature's functionality.
More from same product – last 7 days
Local denial of service in Android's PackageInstaller subsystem stems from a logic error in PackageInstallerSession.tran
Remote code execution in Spring for GraphQL versions 1.3.0-1.3.8, 1.4.0-1.4.5, and 2.0.0-2.0.3 allows unauthenticated at
NoSQL/query injection in Spring AI Vector Stores (1.0.0-1.0.8 and 1.1.0-1.1.7) allows remote unauthenticated attackers t
Origin validation failure in Spring Cloud Gateway (WebMVC and WebFlux Server variants) allows remote attackers to spoof
Server-Side Request Forgery in Spring Web Services (versions 3.1.0-3.1.8, 4.0.0-4.0.18, 4.1.0-4.1.3, and 5.0.0-5.0.1) al
Share
External POC / Exploit Code
Leaving vuln.today