What is CVE-2025-46295?

CVE-2025-46295 is a publicly disclosed cybersecurity vulnerability with a CRITICAL severity rating and CVSS score of 9.8.

How to search for CVE vulnerabilities?

You can search the 4nuxd CVE database using CVE IDs, vendor names, product names, or severity levels.

CVE-2025-46295

CRITICAL9.8/ 10.0

Published: December 16, 2025 at 06:16 PM

Modified: December 23, 2025 at 02:50 PM

Source: product-security@apple.com

Vulnerability Description

Apache Commons Text versions prior to 1.10.0 included interpolation features that could be abused when applications passed untrusted input into the text-substitution API. Because some interpolators could trigger actions like executing commands or accessing external resources, an attacker could potentially achieve remote code execution. This vulnerability has been fully addressed in FileMaker Server 22.0.4.

CVSS Metrics

Base Score

9.8

Severity

CRITICAL

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Weaknesses (CWE)

CWE-94

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

AI Security Analysis

01 // Technical Summary

Apache Commons Text versions prior to 1.10.0 are vulnerable to Remote Code Execution (RCE) due to insecure interpolation features. Attackers can exploit this by injecting malicious input into applications using the text-substitution API, potentially leading to system compromise and data exfiltration. This vulnerability is particularly dangerous because it allows for arbitrary command execution on the server.

02 // Vulnerability Mechanism

Step 1: Payload Delivery: An attacker identifies an application using Apache Commons Text and its text-substitution API, accepting user-controlled input.

Step 2: Malicious Input Injection: The attacker crafts a malicious string containing interpolation directives designed to exploit a vulnerable interpolator (e.g., script: or dns:).

Step 3: Interpolation Trigger: The application processes the attacker's input, triggering the interpolation process.

Step 4: Code Execution: The vulnerable interpolator executes the attacker's commands or accesses external resources as specified in the malicious input.

Step 5: System Compromise: The attacker gains control of the server, potentially leading to data exfiltration, further exploitation, or denial of service.

03 // Deep Technical Analysis

The vulnerability stems from the Apache Commons Text library's interpolation feature, specifically the use of potentially unsafe interpolators. When applications process untrusted input using this library, attackers can craft malicious strings that, when interpolated, trigger actions like command execution or external resource access. The root cause is a lack of proper input validation and sanitization of the input strings before they are processed by the interpolators. The library fails to adequately restrict the types of interpolators that can be used or the resources they can access, leading to the possibility of arbitrary code execution. The specific flaw lies in the design of the interpolation mechanism, which allows for the execution of arbitrary code based on the input string. This is not a buffer overflow or race condition but a logic flaw in the design of the interpolation feature.