Description

In pig-mesh Pig versions 3.8.2 and below, when setting up scheduled tasks in the Quartz management function under the system management module, it is possible to execute any Java class with a parameterless constructor and its methods with parameter type String through reflection. At this time, the eval method in Tomcat's built-in class jakarta.el.ELProcessor can be used to execute commands, leading to a remote code execution vulnerability.

INFO

Published Date :

2025-11-07T00:00:00.000Z

Last Modified :

2025-11-07T18:41:28.538Z

Source :

mitre
AFFECTED PRODUCTS

The following products are affected by CVE-2025-63690 vulnerability.

No data.

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-63690.

URL Resource
https://github.com/LockeTom/vulnerability/blob/main/md/pig_Remote_Code_Execution_Vulnerability.md cve-icon cve-icon
https://github.com/pig-mesh/pig/issues/1199 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System