CVE-2025-14674
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code through injection in the QLExpressEngine.doEval function in aizuda snail-job. Affected systems running versions up to 1.6.0 are vulnerable to remote exploitation. The vulnerability stems from improper input validation in expression evaluation.
💻 Affected Systems
- aizuda snail-job
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, data exfiltration, and lateral movement within the network.
Likely Case
Arbitrary code execution with the privileges of the snail-job service account, potentially allowing data manipulation or service disruption.
If Mitigated
Limited impact if network segmentation and least privilege principles are properly implemented, though injection could still cause service disruption.
🎯 Exploit Status
While no public proof-of-concept exists, the CWE-74 classification (improper neutralization of special elements) suggests relatively straightforward exploitation for attackers familiar with the system.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.7.0-beta1
Vendor Advisory: https://gitee.com/aizuda/snail-job/releases/tag/vsj1.7.0-beta1
Restart Required: Yes
Instructions:
1. Backup current configuration and data. 2. Download version 1.7.0-beta1 from the official repository. 3. Stop the snail-job service. 4. Replace the application files with the new version. 5. Restart the service. 6. Verify functionality.
🔧 Temporary Workarounds
Network Isolation
linuxRestrict network access to snail-job instances to only trusted sources
iptables -A INPUT -p tcp --dport [snail-job-port] -s [trusted-ip] -j ACCEPT
iptables -A INPUT -p tcp --dport [snail-job-port] -j DROP
Input Validation Wrapper
allImplement additional input validation before passing data to QLExpressEngine.doEval
🧯 If You Can't Patch
- Implement strict network access controls to limit exposure to trusted IP addresses only
- Monitor logs for unusual patterns in expression evaluation and implement rate limiting on affected endpoints
🔍 How to Verify
Check if Vulnerable:
Check the version in application configuration or by examining the JAR file metadata. Versions 1.6.0 or earlier are vulnerable.Check Version:
java -jar snail-job-*.jar --version or check the MANIFEST.MF file in the JARVerify Fix Applied:
Verify the application version is 1.7.0-beta1 or later and check that commit 978f316c38b3d68bb74d2489b5e5f721f6675e86 is present in the codebase.📡 Detection & Monitoring
Log Indicators:
- Unusual patterns in expression evaluation logs
- Multiple failed expression parsing attempts
- Unexpected system commands in expression parameters
Network Indicators:
- Unusual traffic patterns to snail-job expression endpoints
- Requests containing suspicious payloads to /expression or similar endpoints
SIEM Query:
source="snail-job" AND (message="*doEval*" OR message="*QLExpressEngine*") AND (message="*exception*" OR message="*error*")🔗 References
- https://gitee.com/aizuda/snail-job/
- https://gitee.com/aizuda/snail-job/commit/978f316c38b3d68bb74d2489b5e5f721f6675e86
- https://gitee.com/aizuda/snail-job/issues/ICNUG0
- https://gitee.com/aizuda/snail-job/issues/ICNUG0#note_44321424_link
- https://gitee.com/aizuda/snail-job/releases/tag/vsj1.7.0-beta1
- https://vuldb.com/?ctiid.336403
- https://vuldb.com/?id.336403
