CVE-2025-53052: 
NixOS vulnerability analysis and mitigation

A vulnerability (CVE-2025-53052) was discovered in the Oracle Workflow product of Oracle E-Business Suite, specifically in the Workflow Notification Mailer component. The vulnerability affects versions 12.2.3 through 12.2.14. This easily exploitable vulnerability allows unauthenticated attackers with network access via HTTP to compromise Oracle Workflow. The vulnerability was disclosed on October 21, 2025, and received a CVSS 3.1 Base Score of 6.1 (Oracle CPU Oct 2025).

The vulnerability has been assigned a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating network accessibility, low attack complexity, no privileges required, and user interaction required. The scope is changed, with low impacts to both confidentiality and integrity, but no impact on availability. The vulnerability requires human interaction from a person other than the attacker, and while the vulnerability exists in Oracle Workflow, attacks may significantly impact additional products (NVD).

Successful exploitation of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Workflow accessible data as well as unauthorized read access to a subset of Oracle Workflow accessible data. The vulnerability has potential scope change implications, meaning that it could affect components beyond the vulnerable component (Oracle CPU Oct 2025).

Oracle has released patches for this vulnerability as part of the October 2025 Critical Patch Update. Organizations running affected versions (12.2.3-12.2.14) of Oracle E-Business Suite should apply the security patches as soon as possible. Oracle strongly recommends that customers apply Critical Patch Update security patches without delay (Oracle CPU Oct 2025).

The vulnerability was reported by security researcher Kush Jijania, who was acknowledged in Oracle's Critical Patch Update Advisory for October 2025 (Oracle CPU Oct 2025).