CVE-2025-3322
CVE-2025-3322 is a critical-severity vulnerability with a CVSS 4.0 base score of 10.0. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-917.
Key facts
- Severity: Critical (CVSS 4.0 base score 10.0)
- EPSS exploit prediction: 1% (43rd percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2025-17092
- Weakness: CWE-917
- Published:
- Last modified:
Description
An improper neutralization of inputs used in expression language allows remote code execution with the highest privileges on the server.
Frequently asked questions
- What is CVE-2025-3322?
- An improper neutralization of inputs used in expression language allows remote code execution with the highest privileges on the server.
- How severe is CVE-2025-3322?
- CVE-2025-3322 has a CVSS 4.0 base score of 10.0, rated critical severity.
- Is CVE-2025-3322 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (43rd percentile), an estimate of the probability of exploitation in the next 30 days.
- How do I fix CVE-2025-3322?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its critical severity, prioritise patching exposed systems.
- Does CVE-2025-3322 have an EU (EUVD) identifier?
- Yes. CVE-2025-3322 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2025-17092.
- When was CVE-2025-3322 published?
- CVE-2025-3322 was published on 2025-06-06 and last updated on 2026-06-17.
References
Other CWE-917 vulnerabilities
- CVE-2022-22947 — Critical (CVSS 10.0): In spring cloud gateway versions prior to 3.1.1+ and 3.0.7+ , applications are vulnerable to a code injection attack…
- CVE-2026-11561 — Critical (CVSS 9.8): Improper neutralization of special elements used in an expression language statement ('expression language injection')…
- CVE-2026-22738 — Critical (CVSS 9.8): In Spring AI, a SpEL injection vulnerability exists in SimpleVectorStore when a user-supplied value is used as a…
- CVE-2026-24713 — Critical (CVSS 9.8): Improper Input Validation vulnerability in Apache IoTDB. This issue affects Apache IoTDB: from 1.0.0 before 1.3.7,…
- CVE-2023-51593 — Critical (CVSS 9.8): Voltronic Power ViewPower Pro Expression Language Injection Remote Code Execution Vulnerability. This vulnerability…
- CVE-2023-41331 — Critical (CVSS 9.8): SOFARPC is a Java RPC framework. Versions prior to 5.11.0 are vulnerable to remote command execution. Through a…