CVE-2025-0982

Sandbox Escape in Google Cloud Application Integration's JavaScript Task (Rhino Engine)

CVSS 9.4 CRITICALEPSS 0.2%CWE-829

Vexday Risk Score

28Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 9.4EPSS 0.2%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

06 Feb 2025Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

Sandbox escape in the JavaScript Task feature of Google Cloud Application Integration allows an actor to execute arbitrary unsandboxed code via crafted JavaScript code executed by the Rhino engine. Effective January 24, 2025, Application Integration will no longer support Rhino as the JavaScript execution engine. No further fix actions are needed.

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N

Affected products

Google Cloud · Application Integration

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://cloud.google.com/application-integration/docs/release-notes#January_23_2025