What is the CVSS score of CVE-2025-59059?

CVE-2025-59059 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.4%.

Which versions of Ranger are affected by CVE-2025-59059?

A critical remote code execution vulnerability in Apache Ranger versions 2.7.0 and earlier allows unauthenticated attackers to execute arbitrary code on affected systems with a 9.8 CVSS severity…. A patch is available.

How to fix or mitigate CVE-2025-59059?

Within 24 hours: Inventory all Apache Ranger deployments and identify version numbers; isolate or restrict network access to affected instances pending remediation. Within 7 days: Upgrade all Ranger instances to version 2.8.0 or later; if immediate upgrade is not feasible, implement network segmentation and disable the NashornScriptEngineCreator feature if operationally possible. Within 30 days: Complete full vulnerability assessment of all affected systems, review access logs for exploitation attempts, and conduct post-incident review to prevent recurrence.

Ranger CVE-2025-59059

CRITICAL

Code Injection (CWE-94)

2026-03-03 security@apache.org

GHSA-c87w-642h-m97h

RCE Apache Ranger

9.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 12, 2026 - 22:05 vuln.today

CVE Published

Mar 03, 2026 - 11:16 nvd

CRITICAL 9.8

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

83 maven packages depend on org.apache.ranger:ranger-plugins-common (49 direct, 34 indirect)

Ecosystem-wide dependent count for version 2.8.0.

DescriptionNVD

Remote Code Execution Vulnerability in NashornScriptEngineCreator is reported in Apache Ranger versions <= 2.7.0. Users are recommended to upgrade to version 2.8.0, which fixes this issue.