CVE-2025-54466: 
Apache OFBiz vulnerability analysis and mitigation

A code injection vulnerability (CVE-2025-54466) was discovered in Apache OFBiz's scrum plugin affecting versions before 24.09.02. The vulnerability allows unauthenticated attackers to achieve Remote Code Execution (RCE) through the scrum plugin functionality (NVD, Apache Security).

The vulnerability is classified as an Improper Control of Generation of Code (CWE-94) issue. It received a CVSS v3.1 base score of 9.8 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating network accessibility, low attack complexity, and no required privileges or user interaction. The vulnerability specifically occurs when calling the SVN command to retrieve a revision diff, where the system directly executes concatenated strings (NVD, Apache Jira).

The vulnerability enables unauthenticated attackers to execute arbitrary code on affected systems through the scrum plugin, potentially leading to complete system compromise with high impacts on confidentiality, integrity, and availability of the system (NVD).

Users are strongly recommended to upgrade to Apache OFBiz version 24.09.02, which contains the fix for this vulnerability. The fix involves improving the command execution method by passing commands through a string table instead of concatenated strings (Apache Download, Apache Security).