CVE-2025-48140

| EUVD-2025-17532 CRITICAL
2025-06-09 [email protected]
9.9
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Mar 14, 2026 - 19:21 euvd
EUVD-2025-17532
Analysis Generated
Mar 14, 2026 - 19:21 vuln.today
CVE Published
Jun 09, 2025 - 16:15 nvd
CRITICAL 9.9

Tags

Code Injection

Description

Improper Control of Generation of Code ('Code Injection') vulnerability in metalpriceapi MetalpriceAPI allows Code Injection. This issue affects MetalpriceAPI: from n/a through 1.1.4.

Analysis

Critical Code Injection vulnerability (CWE-94) in MetalpriceAPI versions through 1.1.4 that allows authenticated attackers to inject and execute arbitrary code with network access and low complexity. The vulnerability has a maximum severity CVSS score of 9.9 with complete impact across confidentiality, integrity, and availability. This is a high-priority vulnerability affecting any deployment of MetalpriceAPI up to version 1.1.4, with no publicly confirmed workarounds available at this time.

Technical Context

MetalpriceAPI is a software component/library that handles metal price data queries and integrations. The vulnerability stems from improper control of code generation (CWE-94), meaning user-supplied input is likely being passed unsanitized into dynamic code execution functions (such as eval(), exec(), or similar runtime code evaluation mechanisms). The affected product identifier is likely 'metalpriceapi' with versions from an unknown baseline through 1.1.4. The attack vector is Network-based with Low Attack Complexity, indicating the vulnerability does not require special network conditions, timing, or user interaction beyond initial authentication (PR:L = Low Privilege requirement). This suggests the vulnerability may be exploitable through standard API calls or standard application interfaces without elevated privileges.

Affected Products

MetalpriceAPI versions 0.x through 1.1.4 are affected. Specific CPE would be: cpe:2.3:a:metalpriceapi:metalpriceapi:*:*:*:*:*:*:*:* (with version matching <=1.1.4). No upper bound version limit is specified in the description, suggesting versions 1.1.4 and earlier are all vulnerable. The vendor is identified as 'metalpriceapi' with product 'MetalpriceAPI'. Organizations using this library in production for metal price data integration, market data feeds, or trading applications are at direct risk.

Remediation

Immediate remediation steps: (1) Identify and audit all systems running MetalpriceAPI versions 1.1.4 and earlier; (2) Upgrade to the first patched version (likely 1.1.5 or higher, pending vendor release); (3) If upgrade is not immediately possible, implement network segmentation to restrict API access to only trusted, authenticated users and limit the scope of code that can be injected; (4) Implement input validation and sanitization frameworks that prevent code metacharacters from being passed to the vulnerable code generation functions; (5) Deploy Web Application Firewalls (WAF) rules to detect and block code injection patterns targeting the MetalpriceAPI endpoints; (6) Monitor application logs for suspicious input patterns that might indicate attempted code injection attacks. Vendor advisory and patch details should be obtained from the official MetalpriceAPI repository or security advisories.

Priority Score

50
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +50
POC: 0

Share

CVE-2025-48140 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy