CVE Catalog

CVE-2025-11919

CriticalCVSS 9.6
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.40%

32th percentile — higher than 32% of all known CVEs

Summary

The default JVM can access files and directories under `/tmp/` including the `$TemporaryDirectory` of other users on the same cloud instance. An attacker with access to the shared `/tmp/` space can preemptively create or replace `.jar` files or directories (via the `-init` file) that the victim JVM will resolve first in its classpath, leading to arbitrary code execution during JVM startup.

Risk Assessment

The risk involves remote code execution (RCE) in the victim's context, potentially leading to application compromise, data theft, or lateral movement within the cloud environment.

Recommendation

Immediately restrict access to the `/tmp/` directory for unauthorized users by applying appropriate permissions (e.g., `chmod 700` or `chmod 750`). Additionally, consider using dedicated, isolated temporary directories for each user or JVM process.

Original NVD description (English source)

The default JVM can access files and directories under `/tmp/` including the `$TemporaryDirectory` of other users on the same cloud instance (`/tmp/UserTemporaryFiles/`). The `-init` file for the the JVM initialization exists in the vulnerable directory during the startup of the JVM. An attacker with access to the shared `/tmp/` space can preemptively create or replace `.jar` files or directories (via the `-init` file) that the victim JVM will resolve first in its classpath. By strategically placing a malicious version of a commonly used library (e.g., `commons-io`) in a location that is included in the classpath before the legitimate version, an attacker can cause the JVM to load the malicious class during startup, thereby executing the attacker's code.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS