CVE-2025-58059

Description

### Impact Any admin that can create or modify and execute process-definitions could gain access to sensitive data or resources. This includes but is not limited to: - Running executables on the application host - Inspecting and extracting data from the host environment or application properties - Spring beans (application context, database pooling) ### Attack requirements The following conditions have to be met in order to perform this attack: - The user must be logged in - The user must have the admin role (ROLE_ADMIN), which is required to change process definitions - The user must have some knowledge about running scripts via a the Camunda/Operator engine ### Patches Version 12.16.0 and 13.1.2 have been patched. It is strongly advised to upgrade. ### Workarounds If no scripting is needed in any of the processes, it could be possible to disable it altogether via the `ProcessEngineConfiguration`: ``` @Component class NoScriptEnginePlugin : ProcessEnginePlugin { override fun preInit(processEngineConfiguration: ProcessEngineConfigurationImpl) {} override fun postInit(processEngineConfiguration: ProcessEngineConfigurationImpl) { processEngineConfiguration.scriptEngineResolver = null } override fun postProcessEngineBuild(processEngine: ProcessEngine) {} } ``` Warning: this workaround could lead to unexpected side-effects. Please test thoroughly. ### References - Valtimo 12 and lower: [Camunda Scripting](https://docs.camunda.org/manual/latest/user-guide/process-engine/scripting/#custom-scriptengineresolver) - Valtimo 13 and higher: [Operaton Scripting](https://docs.operaton.org/docs/documentation/user-guide/process-engine/scripting)

How to fix CVE-2025-58059

To remediate CVE-2025-58059, upgrade the affected package to a fixed version below.

• —upgrade to 12.16.0.RELEASE or later

Is CVE-2025-58059 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)