Remote Code Execution Vulnerability in Pig-Mesh by Apache
CVE-2025-63690

9.1CRITICAL

Key Information:

Vendor: Apache
Status: Pig-Mesh
Vendor: CVE Published:; 7 November 2025

What is CVE-2025-63690?

In Pig-Mesh versions 3.8.2 and earlier, a vulnerability exists within the Quartz management functionality that enables the execution of any Java class with a parameterless constructor. This concern arises when scheduled tasks are set up, allowing for potential malicious commands to be executed via reflection. Specifically, the eval method from Tomcat's built-in jakarta.el.ELProcessor can be exploited to carry out unauthorized command execution, posing serious security risks to affected systems.

References

https://github.com/pig-mesh/pig/issues/1199

https://github.com/LockeTom/vulnerability/blob/main/md/pi...

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 7, 2025
Vulnerability Reserved
Oct 27, 2025

JSON