CVE-2025-59302 is a code injection vulnerability categorized under CWE-94, found in Apache CloudStack, an open-source cloud computing software platform. The vulnerability affects multiple administrative APIs, including quotaTariffCreate, quotaTariffUpdate, createSecondaryStorageSelector, updateSecondaryStorageSelector, updateHost, and updateStorage. These APIs improperly handle the generation of code, specifically JavaScript expressions, allowing an attacker with administrative privileges to inject and execute arbitrary code within the CloudStack management server context. The affected versions range from 4.18.0 up to but not including 4.20.2, and from 4.21.0 up to but not including 4.22.0. The flaw arises because these APIs do not sufficiently restrict or sanitize JavaScript code input, leading to potential execution of malicious scripts. The Apache Software Foundation addressed this by introducing a new global configuration parameter, js.interpretation.enabled, which allows administrators to enable or disable JavaScript expression interpretation in these APIs, effectively mitigating the injection risk. The vulnerability has a CVSS v3.1 base score of 4.7, reflecting a medium severity level, with attack vector as network, low attack complexity, requiring high privileges, no user interaction, and impacting confidentiality, integrity, and availability to a limited degree. No public exploits or active exploitation campaigns have been reported to date. The vulnerability primarily threatens environments where administrative API access is exposed or compromised, potentially allowing attackers to execute unauthorized code, manipulate cloud resource configurations, or disrupt cloud operations.

The vulnerability poses a moderate risk to organizations using affected Apache CloudStack versions, particularly those with exposed or poorly secured administrative interfaces. Successful exploitation requires administrative privileges, limiting the attack surface to insiders or attackers who have already compromised admin credentials. However, once exploited, attackers could inject malicious code that may alter cloud resource configurations, manipulate quotas, storage selectors, or host settings, potentially leading to unauthorized resource usage, data leakage, or service disruption. The impact on confidentiality, integrity, and availability is limited but non-negligible, as attackers could execute arbitrary code within the management server context. Organizations relying heavily on Apache CloudStack for cloud infrastructure management could face operational disruptions or data integrity issues. The absence of known exploits reduces immediate risk, but the presence of a fix and configuration controls indicates the vulnerability's seriousness. The medium CVSS score reflects the balance between required privileges and potential impact.

Organizations should immediately upgrade Apache CloudStack to versions 4.20.2 or 4.22.0, which include the fix for this vulnerability. Until upgrades can be applied, administrators should disable JavaScript expression interpretation in the affected APIs by setting the global configuration flag js.interpretation.enabled to false. Restrict administrative API access strictly to trusted personnel and secure management interfaces using network segmentation, VPNs, or zero-trust principles. Implement strong authentication mechanisms for admin accounts, including multi-factor authentication, to reduce the risk of credential compromise. Regularly audit API usage logs for suspicious activities or anomalous commands that could indicate attempted exploitation. Consider deploying runtime application self-protection (RASP) or web application firewalls (WAF) with custom rules to detect and block suspicious JavaScript payloads targeting these APIs. Conduct security awareness training for administrators to recognize and report unusual behaviors. Finally, maintain up-to-date backups and incident response plans to quickly recover from potential exploitation.