Description

In pig-mesh Pig versions 3.8.2 and below, when setting up scheduled tasks in the Quartz management function under the system management module, it is possible to execute any Java class with a parameterless constructor and its methods with parameter type String through reflection. At this time, the eval method in Tomcat's built-in class jakarta.el.ELProcessor can be used to execute commands, leading to a remote code execution vulnerability.

INFO

Published Date :

2025-11-07T00:00:00.000Z

Last Modified :

2025-11-07T18:41:28.538Z

Source :

mitre
AFFECTED PRODUCTS

The following products are affected by CVE-2025-63690 vulnerability.

Vendors Products
Pig-mesh
  • Pig
Pig4cloud
  • Pig
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-63690.

URL Resource
https://github.com/LockeTom/vulnerability/blob/main/md/pig_Remote_Code_Execution_Vulnerability.md cve-icon cve-icon
https://github.com/pig-mesh/pig/issues/1199 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact