CVE-2025-20059

Critical

Published: 20 February 2025

Published

20 February 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

EPSS Score 0.0102 77.4th percentile

Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Description

Relative Path Traversal vulnerability in Ping Identity PingAM Java Policy Agent allows Parameter Injection.This issue affects PingAM Java Policy Agent: through 5.10.3, through 2023.11.1, through 2024.9.

Security Summary

CVE-2025-20059 is a Relative Path Traversal vulnerability (CWE-23) in the Ping Identity PingAM Java Policy Agent that enables Parameter Injection. The issue affects PingAM Java Policy Agent versions through 5.10.3, through 2023.11.1, and through 2024.9. Published on 2025-02-20, it carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H), indicating critical severity due to its potential for high confidentiality and availability impacts.

Unauthenticated remote attackers with network access can exploit this vulnerability with low attack complexity and no user interaction required. Successful exploitation allows reading sensitive files via path traversal and injecting parameters, leading to unauthorized access to confidential data (high confidentiality impact) and potential denial of service (high availability impact), while scope remains unchanged and integrity is unaffected.

The ForgeRock advisory at https://backstage.forgerock.com/knowledge/advisories/article/a61848355 provides details on mitigation strategies and available patches for affected versions.

Details

CWE(s): CWE-23

References

https://backstage.forgerock.com/knowledge/advisories/article/a61848355
responsible-disclosure@pingidentity.com