CVE-2025-11919

The default JVM can access files and directories under `/tmp/` including the `$TemporaryDirectory` of other users on the same cloud instance (`/tmp/UserTemporaryFiles/`). The `-init` file for the the JVM initialization exists in the vulnerable directory during the startup of the JVM. An attacker with access to the shared `/tmp/` space can preemptively create or replace `.jar` files or directories (via the `-init` file) that the victim JVM will resolve first in its classpath. By strategically placing a malicious version of a commonly used library (e.g., `commons-io`) in a location that is included in the classpath before the legitimate version, an attacker can cause the JVM to load the malicious class during startup, thereby executing the attacker's code.

• https://github.com/PeterRoberge/vulnerability-wolfram-cloud-14.2/blob/main/disclosure.md
• https://www.kb.cert.org/vuls/id/553375
• https://github.com/PeterRoberge/vulnerability-wolfram-cloud-14.2/blob/main/disclosure.md

Published

Jun 26, 2026

Last Modified

Jun 26, 2026

Status

Awaiting Analysis