Improper Neutralization of Expression/Command Delimiters in Apache Commons OGNL
CVE-2025-53192

8.8HIGH

Key Information:

Vendor: Apache
Status: Apache Commons Ognl
Vendor: CVE Published:; 18 August 2025

What is CVE-2025-53192?

The Apache Commons OGNL library suffers from an improper neutralization of expression/command delimiters, posing a risk of arbitrary code execution. This vulnerability arises when the API Ognl.getValue evaluates user-provided expressions, allowing attackers to exploit the OGNL engine's parsing capabilities. Despite OgnlRuntime's attempts to restrict access to dangerous classes and methods through a blocklist, the limitations are not exhaustive. Attackers can potentially circumvent these restrictions using class objects not included on the blocklist. As the Apache Commons OGNL project is retired, there will be no further fixes; users are advised to seek alternative solutions or limit access to trusted users.

Affected Version(s)

Apache Commons OGNL 0

References

https://lists.apache.org/thread/2gj8tjl6vz949nnp3yxz3okm9...

vendor-advisory

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 18, 2025
Vulnerability Reserved
Jun 27, 2025

Credit

yyjLF