CVE-2025-9263 — xxl-job Vulnerable to Resource Injection and Authorization Bypass Through User-C

Description

A vulnerability has been found in Xuxueli xxl-job up to 3.1.1. Affected by this vulnerability is the function getJobsByGroup of the file /src/main/java/com/xxl/job/admin/controller/JobLogController.java. Such manipulation of the argument jobGroup leads to improper control of resource identifiers. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

How to fix CVE-2025-9263

To remediate CVE-2025-9263, upgrade the affected package to a fixed version below.

—upgrade to 3.2.0 or later

Is CVE-2025-9263 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 3.2.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References (7)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-9263
PATCHgithub.com/xuxueli/xxl-job
WEBgithub.com/xuxueli/xxl-job/issues/3772
WEBgithub.com/xuxueli/xxl-job/issues/3772#issue-3308329205
WEBvuldb.com