CVE-2025-14674 is an injection vulnerability identified in the aizuda snail-job product, a Java-based job scheduling and workflow automation tool. The flaw resides in the QLExpressEngine.doEval method within the snail-job-common-core module, which evaluates expressions. Improper input validation or sanitization in this function allows an attacker to inject malicious code or commands remotely. The vulnerability affects all versions up to 1.6.0. Exploitation does not require user interaction but does require low-level privileges, indicating that an attacker must have some authenticated access or limited permissions within the system. The injection could lead to unauthorized code execution or manipulation of job execution logic, potentially impacting confidentiality, integrity, and availability. The vulnerability was patched in version 1.7.0-beta1, with the fix identified by commit 978f316c38b3d68bb74d2489b5e5f721f6675e86. No public exploits are currently known, but the remote attack vector and lack of user interaction make this a notable risk for organizations relying on snail-job for critical automation tasks.

For European organizations, this vulnerability poses a moderate risk primarily to those using aizuda snail-job for automating workflows, batch jobs, or scheduled tasks. Exploitation could allow attackers to inject malicious expressions that alter job execution, potentially leading to unauthorized data access, data corruption, or disruption of automated processes. This could impact business continuity, especially in sectors relying heavily on automation such as finance, manufacturing, and IT services. The partial compromise of confidentiality and integrity could expose sensitive operational data or intellectual property. Availability impacts could arise if injected code disrupts or halts scheduled jobs. Given the remote attack vector and no requirement for user interaction, attackers could exploit this vulnerability from outside the network if access controls are weak. However, the requirement for low privileges limits the attack surface to insiders or attackers who have already gained limited access.

European organizations should immediately upgrade all affected aizuda snail-job instances to version 1.7.0-beta1 or later to apply the official patch. In addition, organizations should audit and restrict access controls to limit who can interact with the QLExpressEngine.doEval function or submit expressions for evaluation. Implement strict input validation and sanitization on any user-supplied data that interacts with the expression engine. Monitor logs for unusual or unauthorized expression evaluations that could indicate attempted exploitation. Employ network segmentation and firewall rules to restrict remote access to snail-job management interfaces. Conduct regular security assessments and penetration tests focused on injection vulnerabilities in automation tools. Finally, maintain an inventory of all automation tools and ensure timely patch management to reduce exposure to similar vulnerabilities.