{"document":{"acknowledgments":[{"urls":["https://kb.cert.org/vuls/id/553375#acknowledgements"]}],"category":"CERT/CC Vulnerability Note","csaf_version":"2.0","notes":[{"category":"summary","text":"### Overview\r\nWolfram Cloud version 14.2 allows Java Virtual Machine (JVM) unrestricted access to temporary resources in the `/tmp/` directory of the cloud environment which may result in privilege escalation, information exfiltration, and remote code execution. In the same cloud instance, temporary directories of other users may be accessible.\r\n\r\n### Description\r\nWolfram Cloud is a multi-tenant cloud platform that supports a virtual \"notebook\" interface for easier programming and accessibility to tools for quickly building and publishing integrated applications. In this architecture, the instance kernel `/tmp/` directory is shared, but with access permissions. Excepting the JVM initialization file, these temporary directories usually do not contain sensitive information. A newly discovered race condition allows attackers to poison the classpath via the shared `/tmp/` directory during JVM initializaiton. If an attacker can approximate when users would be launching the JVM, access to an unprotected temporary directory may be successful.\r\nThe cause is the implementation of the virtual environment by the hosting platform which manages access to temporary files in a multi-tenant cloud environment. A successful attack will give the attacker access to the temporary directories of other users.\r\n\r\n### Impact\r\nAn attacker that accesses the shared `/tmp/` directory of the instance can potentially achieve privilege escalation, information exfiltration, and remote code execution.\r\nThis constitutes a Technical Impact = Total under the [SSVC framework](https://certcc.github.io/SSVC/reference/decision_points/technical_impact/), meaning:\r\n\r\n> The vulnerability gives the adversary total control over the behavior of the software or total disclosure of all information on the affected system.\r\n\r\n### Solution\r\nThe CERT/CC recommends updating Wolfram Cloud to version 14.2.1.\r\n\r\n### Acknowledgements\r\nThanks to the reporter Peter Roberge from Pointer Cybersecurity. This document was written by Laurie Tyzenhaus and Renae Metcalf.","title":"Summary"},{"category":"legal_disclaimer","text":"THIS DOCUMENT IS PROVIDED ON AN 'AS IS' BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. ","title":"Legal Disclaimer"},{"category":"other","text":"CERT/CC Vulnerability Note is a limited advisory. It primarily identifies vendors impacted by the advisory and not specific products. We only support \"known_affected\" and \"known_not_affected\" status. Please consult the vendor's statements and advisory URL if provided by the vendor for more details ","title":"Limitations of Advisory"},{"category":"other","text":"The vulnerability, as originally reported,  has been patched, to the best of our knowledge.","title":"Vendor statment from Wolfram Research Inc."}],"publisher":{"category":"coordinator","contact_details":"Email: cert@cert.org, Phone: +1412 268 5800","issuing_authority":"CERT/CC under DHS/CISA https://www.cisa.gov/cybersecurity also see https://kb.cert.org/ ","name":"CERT/CC","namespace":"https://kb.cert.org/"},"references":[{"url":"https://certcc.github.io/certcc_disclosure_policy","summary":"CERT/CC vulnerability disclosure policy"},{"summary":"CERT/CC document released","category":"self","url":"https://kb.cert.org/vuls/id/553375"},{"url":"https://github.com/PeterRoberge/vulnerability-wolfram-cloud-14.2/blob/main/disclosure.md","summary":"https://github.com/PeterRoberge/vulnerability-wolfram-cloud-14.2/blob/main/disclosure.md"}],"title":"Unprotected temporary directories in Wolfram Cloud version 14.2 may result in privilege escalation","tracking":{"current_release_date":"2025-11-11T22:09:30+00:00","generator":{"engine":{"name":"VINCE","version":"3.0.35"}},"id":"VU#553375","initial_release_date":"2025-11-11 22:09:30.867911+00:00","revision_history":[{"date":"2025-11-11T22:09:30+00:00","number":"1.20251111220930.1","summary":"Released on 2025-11-11T22:09:30+00:00"}],"status":"final","version":"1.20251111220930.1"}},"vulnerabilities":[{"title":"The default JVM can access files and directories under `/tmp/` including the `$TemporaryDirectory` of other users on the same cloud instance (`/tmp/UserTemporaryFiles/`).","notes":[{"category":"summary","text":"The default JVM can access files and directories under `/tmp/` including the `$TemporaryDirectory` of other users on the same cloud instance (`/tmp/UserTemporaryFiles/`).  The `-init` file for the the JVM initialization exists in the vulnerable directory during the startup of the JVM.  An attacker with access to the shared `/tmp/` space can preemptively create or replace `.jar` files or directories (via the `-init` file) that the victim JVM will resolve first in its classpath.  By strategically placing a malicious version of a commonly used library (e.g., `commons-io`) in a location that is included in the classpath before the legitimate version, an attacker can cause the JVM to load the malicious class during startup, thereby executing the attacker's code."}],"cve":"CVE-2025-11919","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#553375"}],"product_status":{"known_affected":["CSAFPID-8da2110a-39bf-11f1-8422-122e2785dc9f"]}}],"product_tree":{"branches":[{"category":"vendor","name":"Wolfram Research Inc.","product":{"name":"Wolfram Research Inc. Products","product_id":"CSAFPID-8da2110a-39bf-11f1-8422-122e2785dc9f"}}]}}