Login Sign Up

CVE-2025-9264

5.4 MEDIUM

📋 TL;DR

This vulnerability in Xuxueli xxl-job allows remote attackers to manipulate job ID parameters to improperly control resource identifiers, potentially enabling unauthorized job deletion or manipulation. It affects all deployments of xxl-job up to version 3.1.1. The exploit has been made public and could be used against internet-facing instances.

💻 Affected Systems

Products:
  • Xuxueli xxl-job
Versions: Up to and including 3.1.1
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: All deployments with the vulnerable component exposed are affected.

📦 What is this software?

Xxl Job by Xuxueli

View all CVEs affecting Xxl Job →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote unauthenticated attacker could delete or manipulate scheduled jobs, causing service disruption, data loss, or unauthorized job execution.

🟠

Likely Case

Attackers with some access could delete or modify job configurations, disrupting scheduled tasks and business operations.

🟢

If Mitigated

With proper access controls and input validation, impact is limited to authorized users only.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploit details are publicly available in GitHub issues. Attack requires some level of access to the job management interface.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.1.2 or later

Vendor Advisory: https://github.com/xuxueli/xxl-job/issues/3773

Restart Required: No

Instructions:

1. Upgrade xxl-job to version 3.1.2 or later. 2. Replace the vulnerable JobInfoController.java file. 3. Rebuild and redeploy the application.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement server-side validation for job ID parameters to ensure proper format and authorization checks

Access Restriction

all

Restrict network access to the xxl-job admin interface using firewall rules or network segmentation

🧯 If You Can't Patch

  • Implement strict access controls to limit who can access the job management interface
  • Deploy a web application firewall (WAF) with rules to detect and block parameter manipulation attempts

🔍 How to Verify

Check if Vulnerable:

Check if running xxl-job version 3.1.1 or earlier. Review if /src/main/java/com/xxl/job/admin/controller/JobInfoController.java contains the vulnerable remove function.

Check Version:

Check application version in admin interface or review pom.xml for version number

Verify Fix Applied:

Verify version is 3.1.2 or later. Check that JobInfoController.java includes proper input validation and authorization checks for the remove function.

📡 Detection & Monitoring

Log Indicators:

  • Unusual job deletion patterns
  • Failed authorization attempts on job removal endpoints
  • Multiple job ID manipulation attempts

Network Indicators:

  • HTTP requests to job removal endpoints with unusual parameters
  • Traffic patterns suggesting automated job manipulation

SIEM Query:

source="xxl-job" AND (uri="/jobinfo/remove" OR method="DELETE") AND status=200

📊 Metadata

CVE ID: CVE-2025-9264
CVSS v3 Score: 5.4 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
CWE: CWE-99
EPSS Score: 0.05% exploit probability (14.7th percentile)
Published: August 21, 2025
Last Updated: September 11, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-9264, you might also want to check these:

CVE-2025-43491 9.8

A vulnerability in Poly Lens Desktop for Windows allows local attackers to modify filesystem permiss...

Same vulnerability type (CWE-99)
CVE-2025-0756 9.1

This vulnerability in Hitachi Vantara Pentaho Data Integration & Analytics allows attackers to injec...

Same vulnerability type (CWE-99)
CVE-2024-57971 9.1

This vulnerability in Knowage Server allows attackers to perform JNDI injection attacks by manipulat...

Same vulnerability type (CWE-99)