Skip to main content

Wolfram Cloud EUVDEUVD-2025-210362

| CVE-2025-11919 CRITICAL
2026-06-26 certcc GHSA-6f68-j9jr-9q2w
9.6
CVSS 3.1 · Vendor: certcc
Share

Severity by source

Vendor (certcc) PRIMARY
9.6 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
vuln.today AI
8.8 HIGH

Attacker must be a co-tenant with shared-/tmp access (AV:L, PR:L); planted artifacts persist without a tight race (AC:L); code runs in another user's JVM (S:C) yielding full C/I/A impact.

3.1 AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (certcc).

CVSS VectorVendor: certcc

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

3
Analysis Generated
Jun 26, 2026 - 18:23 vuln.today
CVSS changed
Jun 26, 2026 - 18:22 NVD
9.6 (CRITICAL)
CVE Published
Jun 26, 2026 - 15:39 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

The default JVM can access files and directories under /tmp/ including the $TemporaryDirectory of other users on the same cloud instance (/tmp/UserTemporaryFiles/). The -init file for the the JVM initialization exists in the vulnerable directory during the startup of the JVM. An attacker with access to the shared /tmp/ space can preemptively create or replace .jar files or directories (via the -init file) that the victim JVM will resolve first in its classpath. By strategically placing a malicious version of a commonly used library (e.g., commons-io) in a location that is included in the classpath before the legitimate version, an attacker can cause the JVM to load the malicious class during startup, thereby executing the attacker's code.

AnalysisAI

Code execution against the shared multi-tenant Java runtime in Wolfram Cloud 14.2 is possible because the default JVM resolves classpath artifacts from a world-accessible /tmp/ location shared across tenants on the same cloud instance. A co-tenant attacker who can write to /tmp/UserTemporaryFiles/ can plant a malicious .jar or directory referenced by the JVM's -init startup file so the victim JVM loads attacker-controlled classes ahead of the legitimate library, executing code in the victim's session. No public exploit identified at time of analysis, though CVSS rates the issue 9.6 with a scope change reflecting cross-user/cross-tenant impact.

Technical ContextAI

The flaw lives in how the default JVM in Wolfram Cloud handles initialization on a shared host. During JVM startup a -init file located under the shared /tmp/ tree (specifically /tmp/UserTemporaryFiles/) drives classpath resolution, and because /tmp/ is readable and writable across users/tenants on the same instance, one tenant can influence the directories and JAR files another tenant's JVM consults first. This is a classpath/search-path hijack: a malicious copy of a commonly imported library (the disclosure cites commons-io) placed earlier in the resolution order is loaded instead of the genuine one. No CWE was assigned in the input, but the root cause maps to the Untrusted/Uncontrolled Search Path Element class (CWE-426/CWE-427) compounded by insecure use of a shared temporary directory (CWE-377); the affected CPE is cpe:2.3:a:wolfram_research_inc.:cloud and EUVD scopes it to Cloud 14.2.

RemediationAI

No vendor-released patch or fixed version was identified at time of analysis, so remediation centers on compensating controls. The most direct mitigation is to break the shared-/tmp/ trust boundary: configure per-user/per-tenant private temporary directories (e.g., set a tenant-specific java.io.tmpdir/$TemporaryDirectory and isolate /tmp/UserTemporaryFiles/ per user) so one tenant cannot read or write another's JVM startup artifacts - the trade-off is configuration/operational overhead and possible breakage of tools that assume a shared /tmp. Where feasible, restrict permissions on /tmp/UserTemporaryFiles/ (mode 1777 sticky-bit alone is insufficient because the attack relies on creating new files, so use per-user subdirectories with 0700), and pin/validate the JVM classpath so the -init file and trusted libraries resolve from a protected, non-shared path ahead of any /tmp-derived entries. Reduce blast radius by moving high-value tenants to single-tenant instances. Monitor the CERT/CC note (https://www.kb.cert.org/vuls/id/553375) and the disclosure (https://github.com/PeterRoberge/vulnerability-wolfram-cloud-14.2/blob/main/disclosure.md) for an official fixed build, and apply it once Wolfram Research publishes one.

More in Cloud

View all
CVE-2023-46214 HIGH POC
8.8 Nov 16

In Splunk Enterprise versions below 9.0.7 and 9.1.2, Splunk Enterprise does not safely sanitize extensible stylesheet la

CVE-2018-14417 CRITICAL POC
9.8 Aug 04

A command injection vulnerability was found in the web administration console in SoftNAS Cloud before 4.0.3. Rated criti

CVE-2023-22951 HIGH POC
8.8 Apr 13

An issue was discovered in TigerGraph Enterprise Free Edition 3.x. Rated high severity (CVSS 8.8), this vulnerability is

CVE-2014-3476 MEDIUM POC
6.0 Jun 17

OpenStack Identity (Keystone) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-2 does not properly handle c

CVE-2020-15506 CRITICAL
9.8 Jul 07

An authentication bypass vulnerability in MobileIron Core & Connector versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1,

CVE-2019-9945 CRITICAL
9.8 Mar 23

SoftNAS Cloud 4.2.0 and 4.2.1 allows remote command execution. Rated critical severity (CVSS 9.8), this vulnerability is

CVE-2023-22949 MEDIUM POC
4.9 Apr 14

An issue was discovered in TigerGraph Enterprise Free Edition 3.x. Rated medium severity (CVSS 4.9), this vulnerability

CVE-2013-4365 HIGH
7.5 Oct 17

Heap-based buffer overflow in the fcgid_header_bucket_read function in fcgid_bucket.c in the mod_fcgid module before 2.3

CVE-2023-32764 HIGH
7.8 Aug 03

Fabasoft Cloud Enterprise Client 23.3.0.130 allows a user to escalate their privileges to local administrator. Rated hig

CVE-2024-36982 HIGH
7.5 Jul 01

In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.109 and 9

CVE-2023-42578 HIGH
7.5 Dec 05

Improper handling of insufficient permissions or privileges vulnerability in Samsung Data Store prior to version 5.2.00.

CVE-2022-33713 HIGH
7.5 Jul 12

Implicit Intent hijacking vulnerability in Samsung Cloud prior to version 5.2.0 allows attacker to get sensitive informa

Share

EUVD-2025-210362 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy