CVE-2025-56769 — Hutool allows remote code execution (RCE) via the QLExpressEngine class

Description

An issue was discovered in chinabugotech hutool before 5.8.40 allowing attackers to execute arbitrary expressions that lead to arbitrary method invocation and potentially remote code execution (RCE) via the QLExpressEngine class.

How to fix CVE-2025-56769

To remediate CVE-2025-56769, upgrade the affected package to a fixed version below.

Maven/cn.hutool:hutool-extra—upgrade to 5.8.40 or later

Is CVE-2025-56769 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 5.8.40

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-56769
PATCHgithub.com/chinabugotech/hutool
WEBgithub.com/chinabugotech/hutool/commit/3d0d8dea4bc2fac2e9b45dc67244195f30e42e4b
WEBgithub.com/chinabugotech/hutool/issues/3994