CVE-2025-9571 HIGH

CVE-2025-9571: Arbitrary Code Execution in Google Cloud Data Fusion via Malicious Artifact Upload

Vendor Google Cloud
Product Cloud Data Fusion
Weakness CWE-502 · Unsafe deserialization
Published December 10, 2025
Last update December 10, 2025
View on NVD All CVEs

CVSS base score

8.7/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/U:Red

What the vulnerability does

01Description

A remote code execution (RCE) vulnerability exists in Google Cloud Data Fusion. A user with permissions to upload artifacts to a Data Fusion instance can execute arbitrary code within the core AppFabric component. This could allow the attacker to gain control over the Data Fusion instance, potentially leading to unauthorized access to sensitive data, modification of data pipelines, and exploration of the underlying infrastructure. The following CDAP versions include the necessary update to protect against this vulnerability: * 6.10.6+ * 6.11.1+  Users must immediately upgrade to them, or greater ones, available at: https://github.com/cdapio/cdap-build/releases .

Key dates

02Disclosure timeline

December 10, 2025 CVE published
December 10, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2026-26978 Free PBX backup: Deserialization of Untrusted Data in admin/modules/backup/Models/BackupSplFileInfo.php CVE-2026-49085 WordPress WP Insightly for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms plugin <= 1.1.4 - PHP Object Injection vulnerability CVE-2022-23535 LiteDB contains Deserialization of Untrusted Data CVE-2026-32590 Mirror-registry: remote code execution using pickle deserialization CVE-2025-12058 Vulnerability in Keras Model.load_model Leading to Arbitrary Local File Loading and SSRF