CVE-2025-13426

05.12.2025, 22:15

A vulnerability exists in Google  Apigee's JavaCallout policy https://docs.apigee.com/api-platform/reference/policies/java-callout-policy  that allows for remote code execution.

It is possible for a user to write a JavaCallout that injected a malicious object into the MessageContext to execute arbitrary Java code and system commands at runtime,leading to unauthorized access to data, lateral movement within the network, and access to backend systems.

The Apigee hybrid versions below have all been updated to protect from this vulnerability:
  *  Hybrid_1.11.2+
  *  Hybrid_1.12.4+
  *  Hybrid_1.13.3+
  *  Hybrid_1.14.1+
  *  OPDK_5202+
  *  OPDK_5300+

Provider	Type	Base Score	Vector
NIST	NIST	UNKNOWN	---
GoogleCloud	CNA	---	---
CISA-ADP	ADP	---	---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Common Weakness Enumeration

CWE-913 - Improper Control of Dynamically-Managed Code Resources
The software does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements.

References

https://docs.cloud.google.com/apigee/docs/hybrid/release-notes#March_01_2025