CVE-2025-30761: :A vulnerability in JDK's Nashorn Allows for Arbitrary Code Execution

Published Jul 15, 2025
·
Updated

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Scripting). Supported versions that are affected are Oracle Java SE: 8u451, 8u451-perf and 11.0.27; Oracle GraalVM Enterprise Edition: 21.3.14. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 5.9 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N).

Affected Software

19 affected componentsFixes available
Oracle Java SE>=8u451<=8u451-perf
Oracle GraalVM Enterprise Edition
Oracle JRE=1.8.0-update451
Oracle JRE=1.8.0-update451
Oracle JRE=11.0.27
Oracle JDK=1.8.0-update451
Oracle JDK=1.8.0-update451
Oracle JDK=11.0.27
Oracle GraalVM=21.3.14
IBM Cognos Analytics<=11.2.0
IBM Cognos Analytics<=12.0
IBM Cognos Transformer<=12.0
IBM Cognos Transformer<=11.2.4
IBM Cognos Transformer<=12.1.0
IBM Cognos Analytics<=11.2.0
IBM Cognos Analytics<=12.1.0
IBM Cognos Analytics<=12.0
IBM Cognos Transformer<=11.2.4
IBM Cognos Transformer<=12.1.0

Event History

Jul 15, 2025
CVE Published
via MITRE·08:49 PM
Data Sourced
via MITRE·08:49 PM
DescriptionSeverity
Data Sourced
via NVD·09:15 PM
DescriptionSeverityWeakness
Data Sourced
via NVD·09:15 PM
Affected Software
May 26, 2026
Data Sourced
via IBM·05:05 PM
DescriptionSeverityAffected Software
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2025-30761?

The severity of CVE-2025-30761 is currently classified as difficult to exploit due to its nature.

2

How do I fix CVE-2025-30761?

To fix CVE-2025-30761, update Oracle Java SE to version 8u452 or higher and Oracle GraalVM Enterprise Edition to the latest available version.

3

Which Oracle products are affected by CVE-2025-30761?

CVE-2025-30761 affects Oracle Java SE versions 8u451, 8u451-perf, and 11.0.27, as well as Oracle GraalVM Enterprise Edition version 21.3.14.

4

Is CVE-2025-30761 being actively exploited?

As of now, there are no confirmed reports of CVE-2025-30761 being actively exploited in the wild.

5

What are the consequences of not addressing CVE-2025-30761?

Failure to address CVE-2025-30761 may expose systems to potential unauthorized access or other security risks.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203
CVE-2025-30761 - :A vulnerability in JDK's Nashorn Allows for Arbitrary Code Execution - SecAlerts