CVE-2025-58059 Overview
CVE-2025-58059 is a critical Command Injection vulnerability (CWE-78) affecting Valtimo, a platform for Business Process Automation. This vulnerability allows authenticated admin users with process definition privileges to gain unauthorized access to sensitive data and system resources through the Camunda/Operator script engine.
The vulnerability enables attackers to execute arbitrary executables on the application host, inspect and extract data from the host environment or application properties, and access Spring beans including application context and database pooling configurations.
Critical Impact
Authenticated administrators can escalate privileges to execute arbitrary commands on the underlying host system, potentially leading to complete system compromise, data exfiltration, and lateral movement within the network.
Affected Products
- Valtimo versions before 12.16.0.RELEASE
- Valtimo versions from 13.0.0.RELEASE to before 13.1.2.RELEASE
Discovery Timeline
- 2025-08-28 - CVE CVE-2025-58059 published to NVD
- 2025-08-29 - Last updated in NVD database
Technical Details for CVE-2025-58059
Vulnerability Analysis
This vulnerability stems from insufficient input validation and sandboxing in the Camunda process engine's script execution functionality within Valtimo. The platform allows administrators to create and execute process definitions that include scripting capabilities. Without proper restrictions, these scripts can access sensitive system resources and execute arbitrary commands on the host system.
The attack requires the user to be logged in with admin role privileges and have knowledge about running scripts via the Camunda/Operator engine. While this limits the attack surface to authenticated administrators, the impact is severe as it enables complete host compromise including access to environment variables, application properties, Spring beans, and the ability to execute system commands.
Root Cause
The root cause is the lack of proper sandboxing for the JavaScript execution engine used in process definitions. The Camunda process engine allows script tasks that can interact with the Java runtime environment without restrictions, enabling access to system resources that should be isolated from business process logic.
Attack Vector
The attack is network-based and requires high privileges (admin role). An authenticated administrator can craft malicious process definitions containing scripts that leverage the Camunda engine's script execution capabilities to:
- Execute system commands on the application host
- Access and exfiltrate environment variables and application properties
- Interact with Spring beans to manipulate application context
- Access database connection pools and extract sensitive data
The patched versions introduce a ScriptingWhitelistPlugin and AllowedClassesScriptEngineResolver that implement class-level restrictions on what can be accessed from scripts.
package com.ritense.valtimo.autoconfigure;
import com.ritense.valtimo.CamundaWhitelistedBeansPlugin;
+import com.ritense.valtimo.ScriptingWhitelistPlugin;
import com.ritense.valtimo.contract.annotation.ProcessBean;
import java.util.Map;
+import java.util.Set;
import org.camunda.bpm.spring.boot.starter.configuration.Ordering;
+import org.springframework.beans.factory.annotation.Value;
import org.springframework.boot.autoconfigure.AutoConfiguration;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.context.ApplicationContext;
Source: GitHub Commit
The fix introduces a new AllowedClassesScriptEngineResolver that wraps the GraalJS script engine with host access restrictions:
+class AllowedClassesScriptEngineResolver(
+ scriptEngineManager: ScriptEngineManager,
+ otherAllowedClasses: Set<String> = emptySet()
+) : DefaultScriptEngineResolver(scriptEngineManager) {
+ val ALL_ALLOWED = ALLOWED + otherAllowedClasses
Source: GitHub Commit
Detection Methods for CVE-2025-58059
Indicators of Compromise
- Unusual process definition deployments or modifications by admin accounts
- Script execution logs showing access to system classes like Runtime, ProcessBuilder, or System
- Unexpected outbound network connections from the Valtimo application server
- Access to Spring application context or database pooling beans from process scripts
Detection Strategies
- Monitor Camunda process engine logs for script execution events that reference sensitive Java classes
- Implement audit logging for process definition creation and modification activities
- Review deployed process definitions for suspicious script tasks containing system access patterns
- Deploy application-level security monitoring to detect anomalous Spring bean access
Monitoring Recommendations
- Enable verbose logging for the Camunda process engine script execution component
- Configure alerts for process definition deployments during non-business hours
- Monitor for unusual database queries originating from process execution contexts
- Implement network segmentation and monitor for lateral movement attempts from the application server
How to Mitigate CVE-2025-58059
Immediate Actions Required
- Upgrade Valtimo to version 12.16.0.RELEASE or later for the 12.x branch
- Upgrade Valtimo to version 13.1.2.RELEASE or later for the 13.x branch
- Audit existing process definitions for suspicious script content
- Review admin user accounts and ensure least-privilege access principles
Patch Information
Security patches are available in Valtimo versions 12.16.0.RELEASE and 13.1.2.RELEASE. The patches implement JavaScript sandboxing through a new ScriptingWhitelistPlugin and AllowedClassesScriptEngineResolver that restrict which Java classes can be accessed from process definition scripts.
For detailed patch information, refer to the GitHub Security Advisory and the security commit.
Workarounds
- If no scripting is needed in any processes, disable scripting altogether via the ProcessEngineConfiguration
- Note that disabling scripting could lead to unexpected side-effects in existing process definitions
- Restrict admin role assignments to trusted users only
- Implement network segmentation to limit the blast radius if exploitation occurs
# Configuration example - Disable scripting in ProcessEngineConfiguration
# Add to application.properties or application.yml
# Option 1: Disable script engine completely (may cause side effects)
camunda.bpm.generic-properties.properties.enableScriptEngineNashorn=false
camunda.bpm.generic-properties.properties.enableScriptEngineJavaScript=false
# Option 2: Restrict which script languages are available
# Recommended: Upgrade to patched version instead
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
