CVE-2025-2622 — aizuda snail-job Vulnerable to Deserialization via `nodeExpression` Argument

Description

A vulnerability was found in aizuda snail-job 1.4.0. It has been classified as critical. Affected is the function getRuntime of the file /snail-job/workflow/check-node-expression of the component Workflow-Task Management Module. The manipulation of the argument nodeExpression leads to deserialization. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

How to fix CVE-2025-2622

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

—no fix listed

Is CVE-2025-2622 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
osv	CVSS 3.1	MEDIUM6.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

References (7)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-2622
PATCHgitee.com/aizuda/snail-job
WEBgitee.com/aizuda/snail-job/issues/IBSQ24
WEBgitee.com/aizuda/snail-job/issues/IBSQ24#note_38500450_link
WEBvuldb.com