CVE-2022-25894: 
Java vulnerability analysis and mitigation

A Remote Code Execution (RCE) vulnerability was identified in all versions of the com.bstek.uflo:uflo-core package, tracked as CVE-2022-25894. The vulnerability was discovered in the ExpressionContextImpl class and was disclosed on October 31, 2022. The vulnerability stems from improper user input validation in the jexl.createExpression(expression).evaluate(context) functionality (NVD, Snyk).

The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (Critical), indicating its severe nature. The attack vector is network-based, with low attack complexity, requiring no privileges or user interaction. The vulnerability maintains unchanged scope, while impact ratings for confidentiality, integrity, and availability are all rated as high (Snyk).

The exploitation of this vulnerability can result in total loss of confidentiality, leading to exposure of all resources within the impacted component to the attacker. Additionally, there is a complete loss of integrity protection, allowing attackers to modify protected files. The vulnerability also causes total loss of availability, enabling attackers to fully deny access to resources in the impacted component (Snyk).

As of the vulnerability disclosure, there is no fixed version available for the com.bstek.uflo:uflo-core package (Snyk).