CVE-2025-11919 | The default JVM can access files and directories under `/tmp… | CVSS 9.6 CRITICAL

Description

The default JVM can access files and directories under `/tmp/` including the `$TemporaryDirectory` of other users on the same cloud instance (`/tmp/UserTemporaryFiles/`). The `-init` file for the the JVM initialization exists in the vulnerable directory during the startup of the JVM. An attacker with access to the shared `/tmp/` space can preemptively create or replace `.jar` files or directories (via the `-init` file) that the victim JVM will resolve first in its classpath. By strategically placing a malicious version of a commonly used library (e.g., `commons-io`) in a location that is included in the classpath before the legitimate version, an attacker can cause the JVM to load the malicious class during startup, thereby executing the attacker's code.

Metadata

CVE ID: CVE-2025-11919
State: PUBLISHED
Assigner: certcc
Reserved: 2025-10-17 14:38 UTC
Published: 2026-06-26 15:39 UTC
Last updated: 2026-06-26 17:40 UTC
Vendor / Product: Wolfram Research Inc. / Cloud
Sources: cve.org · NVD

Severity & Metrics

9.6 CRITICAL CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

SSVC — CISA Coordinator

Exploitation: PoC
Automatable: no
Tech. Impact: total

Affected products (1)

Vendor	Product	Platform	Versions
Wolfram Research Inc.	Cloud	—	14.2

Weakness (CWE)

CWE	Source	Description
—	cna	CWE-552 Files or Directories Accessible to External Parties

CVSS scores (1)

Score	Severity	Version	Source	Vector
9.6	CRITICAL	3.1	adp	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

References (1)

https://github.com/PeterRoberge/vulnerability-wolfram-cloud-14.2/blob/main/disclosure.md