CVE-2025-0982 CRITICAL

CVE-2025-0982: Sandbox Escape in Google Cloud Application Integration's JavaScript Task (Rhino Engine)

Vendor Google Cloud

Product Application Integration

Weakness CWE-829 · Inclusion from untrusted sphere

Published February 6, 2025

Last update February 12, 2025

View on NVD All CVEs

CVSS base score

9.4/10

Attack vector Network

Attack complexity High

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N

What the vulnerability does

Description

Sandbox escape in the JavaScript Task feature of Google Cloud Application Integration allows an actor to execute arbitrary unsandboxed code via crafted JavaScript code executed by the Rhino engine. Effective January 24, 2025, Application Integration will no longer support Rhino as the JavaScript execution engine. No further fix actions are needed.

Key dates

Disclosure timeline

February 6, 2025 CVE published

February 12, 2025 Record updated