CVE-2025-56769: 
Java vulnerability analysis and mitigation

An issue was discovered in chinabugotech hutool before 5.8.4 allowing attackers to execute arbitrary expressions that lead to arbitrary method invocation and potentially remote code execution (RCE) via the QLExpressEngine class. The vulnerability was discovered and disclosed on July 22, 2025 (GitHub Issue).

The vulnerability exists in the QLExpressEngine component where parameters are not verified before untrusted data is passed into evaluation. The allowClassSet parameter, intended to serve as a class whitelist, is never passed to engine.execute(), allowing execution of classes outside the default blacklist. This implementation flaw means attackers can inject calls to dangerous APIs such as JNDI lookups or Runtime.exec. The vulnerability has been assigned a CVSS v3.1 Base Score of 6.5 MEDIUM (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) (NVD).

The vulnerability allows attackers to execute arbitrary code remotely through crafted expressions. This could lead to complete system compromise, as demonstrated by proof-of-concept code that successfully executes JNDI lookups to arbitrary URLs (GitHub Issue).

The recommended fix includes enhancing the security posture of QLExpressEngine by enforcing a stricter blacklist for method invocation, enabling prevention of dangerous calls, and explicitly blacklisting known risky methods. Additionally, QLExpress should be configured to use an explicit whitelist of permitted classes and methods through QLExpressRunStrategy (GitHub Issue).