Improper Sandboxing in Google Apigee’s JavaCallout Policy Allows for Remote Code Execution_CVE-2025-13426

{
    "lastseen": "",
    "description": "A vulnerability exists in Google  Apigee's JavaCallout policy https://docs.apigee.com/api-platform/reference/policies/java-callout-policy  that allows for remote code execution.\n\nIt is possible for a user to write a JavaCallout that injected a malicious object into the MessageContext to execute arbitrary Java code and system commands at runtime,\u00a0leading to unauthorized access to data, lateral movement within the network, and access to backend systems.\n\nThe Apigee hybrid versions below have all been updated to protect from this vulnerability:\n  *  Hybrid_1.11.2+\n  *  Hybrid_1.12.4+\n  *  Hybrid_1.13.3+\n  *  Hybrid_1.14.1+\n  *  OPDK_5202+\n  *  OPDK_5300+",
    "published": "2025-12-05T21:27:13.711Z",
    "modified": "2025-12-05T21:46:34.749Z",
    "type": "cve",
    "title": "Improper Sandboxing in Google Apigee's JavaCallout Policy Allows for Remote Code Execution",
    "source": "GoogleCloud",
    "references": "https://docs.cloud.google.com/apigee/docs/hybrid/release-notes#March_01_2025",
    "id": "CVE-2025-13426",
    "bulletinFamily": "",
    "cwe": [
        "CWE-913"
    ],
    "cvelist": null,
    "sourceData": "Google Cloud Apigee hybrid Javacallout policy 0\nGoogle Cloud Apigee hybrid Javacallout policy 0\nGoogle Cloud Apigee hybrid Javacallout policy 0\nGoogle Cloud Apigee hybrid Javacallout policy 0\nGoogle Cloud Apigee hybrid Javacallout policy 0\nGoogle Cloud Apigee hybrid Javacallout policy 0",
    "sourceHref": "",
    "cvss": {
        "score": 8.7,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/U:Clear",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Apigee hybrid Javacallout policy",
    "version": "0",
    "vendor": "Google Cloud",
    "ai_description": "Remote code execution vulnerability in Google Apigee's JavaCallout policy due to improper sandboxing, allowing unauthorized access to data and systems.",
    "ai_severity": "High",
    "ai_vendor": "Google Cloud",
    "ai_product": "Apigee hybrid Javacallout policy",
    "ai_version": "Hybrid_1.11.2+, Hybrid_1.12.4+, Hybrid_1.13.3+, Hybrid_1.14.1+, OPDK_5202+, OPDK_5300+",
    "ai_score": 8.7
}