CVE-2025-0982: Sandbox Escape in Google Cloud Application Integration's JavaScript Task (Rhino Engine)

9.4 CVSS

Description

Sandbox escape in the JavaScript Task feature of Google Cloud Application Integration allows an actor to execute arbitrary unsandboxed code via crafted JavaScript code executed by the Rhino engine. Effective January 24, 2025, Application Integration will no longer support Rhino as the JavaScript execution engine. No further fix actions are needed.

Classification

CVE ID: CVE-2025-0982

CVSS Base Severity: CRITICAL

CVSS Base Score: 9.4

CVSS Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N

Affected Products

Vendor: Google Cloud

Product: Application Integration

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 11.87% (scored less or equal to compared to others)

EPSS Date: 2025-03-07 (when was this score calculated)

References

https://cloud.google.com/application-integration/docs/release-notes#January_23_2025

Timeline

2025-02-07 00:31:28 UTC
CVE

Sandbox Escape in Google Cloud Application Integration's JavaScript Task (Rhino Engine)