CVE-2025-14674 is an injection vulnerability identified in the aizuda snail-job workflow scheduling system, specifically in the QLExpressEngine.doEval function within the snail-job-common-core module. The vulnerability affects all versions up to 1.6.0 and allows an attacker to remotely inject malicious input that is evaluated by the QLExpressEngine, potentially leading to unauthorized code execution or manipulation of the system's behavior. The injection occurs due to insufficient input validation or sanitization in the expression evaluation logic, enabling crafted payloads to alter the intended execution flow. Exploitation does not require user interaction or elevated privileges, making it accessible to remote unauthenticated attackers. The vulnerability was patched in version 1.7.0-beta1, with the fix identified by commit 978f316c38b3d68bb74d2489b5e5f721f6675e86. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required, no user interaction, and low impacts on confidentiality, integrity, and availability. No known exploits have been reported in the wild as of the publication date. This vulnerability is significant for organizations using snail-job for job scheduling and workflow automation, as it could allow attackers to inject and execute arbitrary expressions, potentially disrupting operations or leaking sensitive information.

The injection vulnerability in aizuda snail-job could allow remote attackers to execute arbitrary expressions within the QLExpressEngine context, potentially leading to unauthorized code execution, data manipulation, or disruption of scheduled workflows. This can impact the confidentiality of sensitive data processed by the system, the integrity of job execution results, and the availability of critical automation tasks. Organizations relying on snail-job for business-critical workflows may experience operational disruptions, data corruption, or unauthorized access to internal systems. Although the impact is rated as low to medium on confidentiality, integrity, and availability, the ease of remote exploitation without authentication increases the risk profile. The absence of known exploits reduces immediate threat but does not eliminate the risk of future exploitation. The vulnerability could be leveraged as a foothold for further attacks within a compromised environment, especially in complex enterprise deployments.

To mitigate CVE-2025-14674, organizations should upgrade aizuda snail-job to version 1.7.0-beta1 or later, which contains the official patch addressing the injection flaw. Until upgrading is possible, restrict network access to the snail-job service to trusted hosts only, using firewall rules or network segmentation to limit exposure. Review and audit any custom expressions or scripts evaluated by QLExpressEngine for unsafe input or injection vectors. Implement strict input validation and sanitization on any user-supplied data that may reach the expression engine. Monitor logs for unusual or suspicious expression evaluation activity that could indicate exploitation attempts. Employ runtime application self-protection (RASP) or web application firewalls (WAF) with custom rules to detect and block injection payloads targeting the expression engine. Regularly update and patch related dependencies and maintain an inventory of affected versions to ensure timely remediation. Finally, conduct security awareness training for developers and administrators on secure coding practices related to expression evaluation and injection prevention.