Vulnerability Description
A vulnerability exists in Google Apigee's JavaCallout policy https://docs.apigee.com/api-platform/reference/policies/java-callout-policy that allows for remote code execution. It is possible for a user to write a JavaCallout that injected a malicious object into the MessageContext to execute arbitrary Java code and system commands at runtime, leading to unauthorized access to data, lateral movement within the network, and access to backend systems. The Apigee hybrid versions below have all been updated to protect from this vulnerability: * Hybrid_1.11.2+ * Hybrid_1.12.4+ * Hybrid_1.13.3+ * Hybrid_1.14.1+ * OPDK_5202+ * OPDK_5300+
Related Weaknesses (CWE)
References
FAQ
What is CVE-2025-13426?
CVE-2025-13426 is a documented vulnerability. A vulnerability exists in Google Apigee's JavaCallout policy https://docs.apigee.com/api-platform/reference/policies/java-callout-policy that allows for remote code execution. It is possible for a ...
How severe is CVE-2025-13426?
CVSS scoring is not yet available for CVE-2025-13426. Check NVD for updates.
Is there a patch for CVE-2025-13426?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.