CVE-2025-4032

Published Apr 28, 2025

Last updated 2 months ago

CVSS low 2.3

Overview

Description: A vulnerability was found in inclusionAI AWorld up to 8c257626e648d98d793dd9a1a950c2af4dd84c4e. It has been rated as critical. This issue affects the function subprocess.run/subprocess.Popen of the file AWorld/aworld/virtual_environments/terminals/shell_tool.py. The manipulation leads to os command injection. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable.
Source: cna@vuldb.com
NVD status: Analyzed

Risk scores

CVSS 4.0

Type: Secondary
Base score: 2.3
Impact score: -
Exploitability score: -
Vector string: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Severity: LOW

CVSS 3.1

Type: Primary
Base score: 8.1
Impact score: 5.9
Exploitability score: 2.2
Vector string: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity: HIGH

CVSS 2.0

Type: Secondary
Base score: 4.6
Impact score: 6.4
Exploitability score: 3.9
Vector string: AV:N/AC:H/Au:S/C:P/I:P/A:P

Weaknesses

cna@vuldb.com: CWE-77
nvd@nist.gov: CWE-78

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:inclusionai:aworld:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "7B2C897C-8B30-40AA-A708-3BF9A0DD0480",
            "versionEndIncluding": "2025-04-24"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

References

Sources include official advisories and independent security research.

Overview

Risk scores

CVSS 4.0

CVSS 3.1

CVSS 2.0

Weaknesses

Social media

Configurations

References