CVE-2025-2622: aizuda snail-job Vulnerable to Deserialization via `nodeExpression` Argument

March 22, 2025 (updated March 24, 2025)

A vulnerability was found in aizuda snail-job 1.4.0. It has been classified as critical. Affected is the function getRuntime of the file /snail-job/workflow/check-node-expression of the component Workflow-Task Management Module. The manipulation of the argument nodeExpression leads to deserialization. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

References

gitee.com/aizuda/snail-job
gitee.com/aizuda/snail-job/issues/IBSQ24
gitee.com/aizuda/snail-job/issues/IBSQ24
github.com/advisories/GHSA-4m5h-5v4q-4xgq
nvd.nist.gov/vuln/detail/CVE-2025-2622
vuldb.com/?ctiid.300624
vuldb.com/?id.300624
vuldb.com/?submit.518999

Code Behaviors & Features

Detect and mitigate CVE-2025-2622 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →