Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, the Operation Delegation feature fails to validate the destination URI of delegated requests. An unauthenticated remote attacker can exploit this design flaw to force the BaSyx server to execute blind HTTP POST requests to arbitrary internal or external targets. This allows an attacker to bypass network segmentation and pivot into isolated internal IT/OT infrastructure or target Cloud Metadata services (IMDS).
AnalysisAI
Server-Side Request Forgery (SSRF) in Eclipse BaSyx Java Server SDK prior to 2.0.0-milestone-10 allows unauthenticated remote attackers to force the server to execute blind HTTP POST requests to arbitrary internal or external targets via the unvalidated Operation Delegation feature. Attackers can exploit this to bypass network segmentation, pivot into isolated IT/OT infrastructure, or access Cloud Metadata services (IMDS) - enabling potential credential theft and lateral movement. EPSS data not available; no CISA KEV listing or public POC identified at time of analysis, but the SSRF attack pattern is well-understood and readily exploitable.
Technical ContextAI
Eclipse BaSyx is an open-source Java SDK implementing the Industry 4.0 Asset Administration Shell (AAS) specification for digital twin and industrial asset management. The vulnerability resides in the Operation Delegation feature, which allows the BaSyx server to forward operation requests to external endpoints. CWE-918 (Server-Side Request Forgery) occurs when the application accepts user-controlled URLs without proper validation of the destination. In this case, the BaSyx server fails to validate the destination URI before executing HTTP POST requests, enabling attackers to abuse the server as a proxy to reach internal network resources, cloud provider metadata endpoints (AWS IMDS at 169.254.169.254, Azure IMDS, GCP metadata), or other internal services that trust requests from the BaSyx server's IP address. The Changed Scope (S:C) in the CVSS vector indicates the vulnerability can impact resources beyond the vulnerable component itself, consistent with SSRF attacks that pivot across network boundaries.
RemediationAI
Upgrade Eclipse BaSyx Java Server SDK to version 2.0.0-milestone-10 or later, which implements URI validation controls for the Operation Delegation feature per Eclipse Foundation advisory at https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/423. Review deployment architecture and apply compensating controls during upgrade window: disable the Operation Delegation feature entirely if not required for business operations (check BaSyx configuration files for delegation settings); implement strict egress filtering at network perimeter to block outbound HTTP/HTTPS from BaSyx servers except to explicitly whitelisted destinations; deploy Web Application Firewall (WAF) or reverse proxy with request inspection to detect and block SSRF attempts (monitor for suspicious internal IP addresses, cloud metadata endpoints 169.254.169.254, localhost references, or URL encoding techniques in delegation parameters); isolate BaSyx servers in dedicated network segments with minimal access to internal resources. Note that egress filtering may interfere with legitimate delegation use cases and must be coordinated with operational teams. For cloud deployments, implement IMDSv2 (AWS) which requires token-based authentication and mitigates blind SSRF against metadata services, though this does not address internal network pivoting risks.
Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m
Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti
Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent
Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug
JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up
Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up
The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow
Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla
The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27386
GHSA-gx3v-wxfj-8h24