Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Improper Control of Generation of Code ('Code Injection') vulnerability in metalpriceapi MetalpriceAPI allows Code Injection. This issue affects MetalpriceAPI: from n/a through 1.1.4.
AnalysisAI
Critical Code Injection vulnerability (CWE-94) in MetalpriceAPI versions through 1.1.4 that allows authenticated attackers to inject and execute arbitrary code with network access and low complexity. The vulnerability has a maximum severity CVSS score of 9.9 with complete impact across confidentiality, integrity, and availability. This is a high-priority vulnerability affecting any deployment of MetalpriceAPI up to version 1.1.4, with no publicly confirmed workarounds available at this time.
Technical ContextAI
MetalpriceAPI is a software component/library that handles metal price data queries and integrations. The vulnerability stems from improper control of code generation (CWE-94), meaning user-supplied input is likely being passed unsanitized into dynamic code execution functions (such as eval(), exec(), or similar runtime code evaluation mechanisms). The affected product identifier is likely 'metalpriceapi' with versions from an unknown baseline through 1.1.4. The attack vector is Network-based with Low Attack Complexity, indicating the vulnerability does not require special network conditions, timing, or user interaction beyond initial authentication (PR:L = Low Privilege requirement). This suggests the vulnerability may be exploitable through standard API calls or standard application interfaces without elevated privileges.
RemediationAI
Immediate remediation steps: (1) Identify and audit all systems running MetalpriceAPI versions 1.1.4 and earlier; (2) Upgrade to the first patched version (likely 1.1.5 or higher, pending vendor release); (3) If upgrade is not immediately possible, implement network segmentation to restrict API access to only trusted, authenticated users and limit the scope of code that can be injected; (4) Implement input validation and sanitization frameworks that prevent code metacharacters from being passed to the vulnerable code generation functions; (5) Deploy Web Application Firewalls (WAF) rules to detect and block code injection patterns targeting the MetalpriceAPI endpoints; (6) Monitor application logs for suspicious input patterns that might indicate attempted code injection attacks. Vendor advisory and patch details should be obtained from the official MetalpriceAPI repository or security advisories.
Same weakness CWE-94 – Code Injection
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-17532