{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2025-5680","assignerOrgId":"1af790b2-7ee1-4545-860a-a788eba489b5","state":"PUBLISHED","assignerShortName":"VulDB","dateReserved":"2025-06-04T13:17:41.924Z","datePublished":"2025-06-05T19:31:09.376Z","dateUpdated":"2025-06-05T19:53:46.399Z"},"containers":{"cna":{"providerMetadata":{"orgId":"1af790b2-7ee1-4545-860a-a788eba489b5","shortName":"VulDB","dateUpdated":"2025-06-05T19:31:09.376Z"},"title":"Shenzhen Dashi Tongzhou Information Technology AgileBPM Groovy Script SysScriptController.java executeScript deserialization","problemTypes":[{"descriptions":[{"type":"CWE","cweId":"CWE-502","lang":"en","description":"Deserialization"}]},{"descriptions":[{"type":"CWE","cweId":"CWE-20","lang":"en","description":"Improper Input Validation"}]}],"affected":[{"vendor":"Shenzhen Dashi Tongzhou Information Technology","product":"AgileBPM","versions":[{"version":"2.0","status":"affected"},{"version":"2.1","status":"affected"},{"version":"2.2","status":"affected"},{"version":"2.3","status":"affected"},{"version":"2.4","status":"affected"},{"version":"2.5.0","status":"affected"}],"modules":["Groovy Script Handler"]}],"descriptions":[{"lang":"en","value":"A vulnerability classified as critical was found in Shenzhen Dashi Tongzhou Information Technology AgileBPM up to 2.5.0. Affected by this vulnerability is the function executeScript of the file /src/main/java/com/dstz/sys/rest/controller/SysScriptController.java of the component Groovy Script Handler. The manipulation of the argument script leads to deserialization. The attack can be launched remotely. The exploit has been disclosed to the public and may be used."},{"lang":"de","value":"In Shenzhen Dashi Tongzhou Information Technology AgileBPM bis 2.5.0 wurde eine kritische Schwachstelle entdeckt. Betroffen ist die Funktion executeScript der Datei /src/main/java/com/dstz/sys/rest/controller/SysScriptController.java der Komponente Groovy Script Handler. Durch Beeinflussen des Arguments script mit unbekannten Daten kann eine deserialization-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk passieren. Der Exploit steht zur öffentlichen Verfügung."}],"metrics":[{"cvssV4_0":{"version":"4.0","baseScore":5.3,"vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N","baseSeverity":"MEDIUM"}},{"cvssV3_1":{"version":"3.1","baseScore":6.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L","baseSeverity":"MEDIUM"}},{"cvssV3_0":{"version":"3.0","baseScore":6.3,"vectorString":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L","baseSeverity":"MEDIUM"}},{"cvssV2_0":{"version":"2.0","baseScore":6.5,"vectorString":"AV:N/AC:L/Au:S/C:P/I:P/A:P"}}],"timeline":[{"time":"2025-06-04T00:00:00.000Z","lang":"en","value":"Advisory disclosed"},{"time":"2025-06-04T02:00:00.000Z","lang":"en","value":"VulDB entry created"},{"time":"2025-06-04T15:22:48.000Z","lang":"en","value":"VulDB entry last update"}],"credits":[{"lang":"en","value":"VulDB Gitee Analyzer","type":"tool"}],"references":[{"url":"https://vuldb.com/?id.311167","name":"VDB-311167 | Shenzhen Dashi Tongzhou Information Technology AgileBPM Groovy Script SysScriptController.java executeScript deserialization","tags":["vdb-entry","technical-description"]},{"url":"https://vuldb.com/?ctiid.311167","name":"VDB-311167 | CTI Indicators (IOB, IOC, IOA)","tags":["signature","permissions-required"]},{"url":"https://vuldb.com/?submit.585108","name":"Submit #585108 | https://www.tongzhouyun.com/ https://gitee.com/agile-bpm/agile-bpm-basic v2.8 (the latest version code submitted as of 20250526) Code Injection","tags":["third-party-advisory"]},{"url":"https://gitee.com/agile-bpm/agile-bpm-basic/issues/ICAPT5","tags":["exploit","issue-tracking"]}]},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2025-06-05T19:42:25.683469Z","id":"CVE-2025-5680","options":[{"Exploitation":"poc"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-06-05T19:53:46.399Z"}}]}}