Cyber Resilience

CVE-2022-25894

CriticalPublic PoCRCE

Published: 26 January 2023

Published
26 January 2023
Modified
01 April 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0374 88.3th percentile
Risk Priority 22 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-25894 is a critical-severity Code Injection (CWE-94) vulnerability in Uflo Project Uflo. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 11.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

All versions of the com.bstek.uflo:uflo-core package are vulnerable to remote code execution through the ExpressionContextImpl class. The flaw stems from unsafe use of jexl.createExpression(expression).evaluate(context) without adequate validation of untrusted input, corresponding to CWE-94 and carrying a CVSS 3.1 score of 9.8.

An unauthenticated attacker with network access can supply a crafted JEXL expression that is evaluated at runtime, resulting in arbitrary code execution on the server with full impact to confidentiality, integrity Availability.

EPSS for the vulnerability rose from lower values to a peak of 0.0958 on 2025-01-22 before receding to the current score of 0.0374, indicating a period of increased exploitation interest well after the 2023 disclosure. Public references include a detailed proof-of-concept write-up and direct links to the vulnerable code in the uflo repository.

EU & UK References

Vulnerability details

All versions of the package com.bstek.uflo:uflo-core are vulnerable to Remote Code Execution (RCE) in the ExpressionContextImpl class via jexl.createExpression(expression).evaluate(context); functionality, due to improper user input validation.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

uflo project
uflo
all versions

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-94

Makes persistent code injection into loaded programs impossible when the executable image itself resides on hardware-protected read-only media.

addresses: CWE-94

Dynamically generated code can be produced and executed inside the isolated chamber, preventing host compromise from code-injection payloads.

addresses: CWE-94

Validates inputs used in dynamic code generation to block injected directives.

addresses: CWE-94

Directly prevents execution of attacker-supplied code written into data memory regions.

References