Skip to main content

CVE-2025-48140

| EUVDEUVD-2025-17532 CRITICAL
Code Injection (CWE-94)
2025-06-09 audit@patchstack.com
9.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
EUVD ID Assigned
Mar 14, 2026 - 19:21 euvd
EUVD-2025-17532
Analysis Generated
Mar 14, 2026 - 19:21 vuln.today
CVE Published
Jun 09, 2025 - 16:15 nvd
CRITICAL 9.9

DescriptionCVE.org

Improper Control of Generation of Code ('Code Injection') vulnerability in metalpriceapi MetalpriceAPI allows Code Injection. This issue affects MetalpriceAPI: from n/a through 1.1.4.

AnalysisAI

Critical Code Injection vulnerability (CWE-94) in MetalpriceAPI versions through 1.1.4 that allows authenticated attackers to inject and execute arbitrary code with network access and low complexity. The vulnerability has a maximum severity CVSS score of 9.9 with complete impact across confidentiality, integrity, and availability. This is a high-priority vulnerability affecting any deployment of MetalpriceAPI up to version 1.1.4, with no publicly confirmed workarounds available at this time.

Technical ContextAI

MetalpriceAPI is a software component/library that handles metal price data queries and integrations. The vulnerability stems from improper control of code generation (CWE-94), meaning user-supplied input is likely being passed unsanitized into dynamic code execution functions (such as eval(), exec(), or similar runtime code evaluation mechanisms). The affected product identifier is likely 'metalpriceapi' with versions from an unknown baseline through 1.1.4. The attack vector is Network-based with Low Attack Complexity, indicating the vulnerability does not require special network conditions, timing, or user interaction beyond initial authentication (PR:L = Low Privilege requirement). This suggests the vulnerability may be exploitable through standard API calls or standard application interfaces without elevated privileges.

RemediationAI

Immediate remediation steps: (1) Identify and audit all systems running MetalpriceAPI versions 1.1.4 and earlier; (2) Upgrade to the first patched version (likely 1.1.5 or higher, pending vendor release); (3) If upgrade is not immediately possible, implement network segmentation to restrict API access to only trusted, authenticated users and limit the scope of code that can be injected; (4) Implement input validation and sanitization frameworks that prevent code metacharacters from being passed to the vulnerable code generation functions; (5) Deploy Web Application Firewalls (WAF) rules to detect and block code injection patterns targeting the MetalpriceAPI endpoints; (6) Monitor application logs for suspicious input patterns that might indicate attempted code injection attacks. Vendor advisory and patch details should be obtained from the official MetalpriceAPI repository or security advisories.

Share

CVE-2025-48140 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy