CVE-2025-0982

CVE-2025-0982 is a sandbox escape vulnerability in the JavaScript Task feature of Google Cloud Application Integration. The issue affects the Rhino JavaScript execution engine, where crafted JavaScript code can lead to the execution of arbitrary unsandboxed code. Published on 2025-02-06, it carries a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) and maps to CWE-829 (Inclusion of Functionality from Untrusted Control Sphere).

A remote attacker with no privileges can exploit this vulnerability over the network with low attack complexity and no user interaction. By providing specially crafted JavaScript code executed by the Rhino engine, the attacker achieves arbitrary code execution outside the sandbox, resulting in high confidentiality, integrity, and availability impacts due to the changed scope.

The release notes at https://cloud.google.com/application-integration/docs/release-notes#January_23_2025 state that effective January 24, 2025, Application Integration will no longer support Rhino as the JavaScript execution engine, rendering the vulnerability obsolete. No further mitigation actions are required.