CVE-2025-0982
Published: 06 February 2025
Summary
CVE-2025-0982 is a critical-severity Inclusion of Functionality from Untrusted Control Sphere (CWE-829) vulnerability in Google Application Integration. Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SA-22 (Unsupported System Components) and SC-18 (Mobile Code).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Prohibits the use of unsupported system components like the vulnerable Rhino JavaScript engine, directly aligning with the vendor's mitigation of ceasing Rhino support to eliminate the sandbox escape vulnerability.
Mandates controls to validate and restrict execution of untrusted mobile code such as crafted JavaScript, preventing arbitrary unsandboxed code execution via the Rhino engine.
Enforces process isolation to compartmentalize the JavaScript execution environment, mitigating sandbox escape attempts that allow arbitrary code execution outside the intended boundaries.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Sandbox escape in public cloud service via crafted JS directly enables remote exploitation of the application (T1190) and arbitrary code execution through the JavaScript interpreter (T1059.007).
NVD Description
Sandbox escape in the JavaScript Task feature of Google Cloud Application Integration allows an actor to execute arbitrary unsandboxed code via crafted JavaScript code executed by the Rhino engine. Effective January 24, 2025, Application Integration will no longer support Rhino…
more
as the JavaScript execution engine. No further fix actions are needed.
Deeper analysisAI
CVE-2025-0982 is a sandbox escape vulnerability in the JavaScript Task feature of Google Cloud Application Integration. The issue affects the Rhino JavaScript execution engine, where crafted JavaScript code can lead to the execution of arbitrary unsandboxed code. Published on 2025-02-06, it carries a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) and maps to CWE-829 (Inclusion of Functionality from Untrusted Control Sphere).
A remote attacker with no privileges can exploit this vulnerability over the network with low attack complexity and no user interaction. By providing specially crafted JavaScript code executed by the Rhino engine, the attacker achieves arbitrary code execution outside the sandbox, resulting in high confidentiality, integrity, and availability impacts due to the changed scope.
The release notes at https://cloud.google.com/application-integration/docs/release-notes#January_23_2025 state that effective January 24, 2025, Application Integration will no longer support Rhino as the JavaScript execution engine, rendering the vulnerability obsolete. No further mitigation actions are required.
Details
- CWE(s)