CVE-2025-5680: Shenzhen Dashi Tongzhou Information Technology AgileBPM Groovy Script SysScriptController.java executeScript deserialization

6.3 CVSS

Description

A vulnerability classified as critical was found in Shenzhen Dashi Tongzhou Information Technology AgileBPM up to 2.5.0. Affected by this vulnerability is the function executeScript of the file /src/main/java/com/dstz/sys/rest/controller/SysScriptController.java of the component Groovy Script Handler. The manipulation of the argument script leads to deserialization. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. In Shenzhen Dashi Tongzhou Information Technology AgileBPM bis 2.5.0 wurde eine kritische Schwachstelle entdeckt. Betroffen ist die Funktion executeScript der Datei /src/main/java/com/dstz/sys/rest/controller/SysScriptController.java der Komponente Groovy Script Handler. Durch Beeinflussen des Arguments script mit unbekannten Daten kann eine deserialization-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk passieren. Der Exploit steht zur öffentlichen Verfügung.

Classification

CVE ID: CVE-2025-5680

CVSS Base Severity: MEDIUM

CVSS Base Score: 6.3

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Problem Types

Deserialization Improper Input Validation

Affected Products

Vendor: Shenzhen Dashi Tongzhou Information Technology

Product: AgileBPM

Stakeholder-Specific Vulnerability Categorization (SSVC)

SSVC Exploitation: poc

SSVC Technical Impact: partial

SSVC Automatable: false

References

https://nvd.nist.gov/vuln/detail/CVE-2025-5680
https://vuldb.com/?id.311167
https://vuldb.com/?ctiid.311167
https://vuldb.com/?submit.585108
https://gitee.com/agile-bpm/agile-bpm-basic/issues/ICAPT5

Timeline

2025-06-05 20:40:14 UTC
CVE

Shenzhen Dashi Tongzhou Information Technology AgileBPM Groovy Script SysScriptController.java executeScript deserialization