dotCMS Velocity Sandbox Escape via Runtime Reinitialization (CVE-2025-11165)

Thinking Process: 1. Analyze the Request: Role: Professional translator specializing in cybersecurity. Task: Translate a Chinese vulnerability intelligence summary to English. Constraint 1: Maintain all Markdown formatting intact. Constraint 2: Do not add any introductory or concluding remarks. Input: A structured text containing vulnerability details (ID, Date, Title, Severity, etc.). 2. Analyze the Input Text: Header: 从该网页截图中，我们可以提取出以下关于漏洞的关键信息： (From this webpage screenshot, we can extract the following key information about the vulnerability:) List Items: 问题 ID (Issue ID) 发布时间 (Release Date / Published Date) 漏洞标题 (Vulnerability Title) 严重性 (Severity) 需要管理员权限 (Requires Admin Privileges) 修复版本 (Fixed Versions) 贡献者/报告人 (Contributor/Reporter) Vulnerability Description (漏洞描述): Technical details about Velocity Sandbox Escape, Runtime Reinitialization, secureUberspectorImpl, introspector.restrict.classes, etc. CVSS Score string. Mitigation (缓解措施): Patch info (LTS, Evergreen). Workarounds (disable endpoints, limit context usage, script permissions). Links (问题链接): GitHub PR, CVE ID, Slack link. 3. Drafting the Translation (Section by Section): Header: 从该网页截图中，我们可以提取出以下关于漏洞的关键信息： Translation: From the webpage screenshot, we can extract the following key information regarding the vulnerability: List: 问题 ID: SI-74 -> Issue ID: SI-74 发布时间: 2025 年 10 月 7 日 -> Published Date: October 7, 2025 漏洞标题: Velocity Sandbox Escape via Runtime Reinitialization -> Vulnerability Title: Velocity Sandbox Escape via Runtime Reinitialization (Keep English title as is) 严重性: 关键 -> Severity: Critical 需要管理员权限: 是 -> Requires Admin Privileges: Yes 修复版本: LTS 25.07.10, 24.12.27 -> Fixed Versions: LTS 25.07.10, 24.12.27 贡献者/报告人: 内部安全团队 -> Contributor/Reporter: Internal Security Team Vulnerability Description: 通过调用 secureUberspectorImpl 来利用 Velocity 引擎中的 Velocity Scripting 机制中的代码溢出漏洞来绕过类和包的限制。 Correction/Refinement: "代码溢出漏洞" usually means "code execution vulnerability" in this context (sandbox escape), not necessarily "buffer overflow". Given the context of Velocity Sandbox Escape, it's about executing arbitrary code. "Code execution vulnerability" or just "exploit the code execution vulnerability". Let's look closer: "利用...代码溢出漏洞". In Chinese security contexts, "代码溢出" sometimes is used loosely for "code execution" (RCE) or specifically "overflow". However, Velocity sandbox escapes are typically about RCE via scripting. "Code execution" is safer. But sticking close to the text: "exploit the code overflow vulnerability within the Velocity Scripting mechanism of the Velocity engine". Actually, "代码溢出" is likely a mistranslation in the source text for "code execution" (代码执行). However, as a translator, I should translate what is there but ensure technical accuracy. "Code execution" is the standard term for RCE. "Code overflow" sounds like buffer overflow. Given "Velocity Sandbox Escape", it's RCE. I will translate it as "code execution vulnerability" for accuracy, or stick to literal if strict. Let's aim for professional cybersecurity terminology. "Code execution" is better. Wait, looking at the source: "代码溢出漏洞". In Chinese CVE reports, sometimes "溢出" is used for "execution" incorrectly. But "Sandbox Escape" implies RCE. I will translate as "code execution vulnerability" to maintain professional accuracy, or "code overflow" if I must be literal. Let's check the rest of the sentence. "绕过类和包的限制" (bypass class and package restrictions). Refined: By invoking , the vulnerability exploits a code execution flaw within the Velocity Scripting mechanism of the Velocity engine to bypass class and package restrictions. 通过动态修改 Velocity 引擎的运行时配置并重置其国际化标准 ISO，攻击者可以移除 introspector.restrict.classes 和 introspector.restrict.packages .保护。 Translation: By dynamically modifying the Velocity engine's runtime configuration and resetting its internationalization standard ISO, attackers can remove the and protections. Note: "ISO" here likely refers to "Internationalization" (i18n) settings or a specific config property, but the text says "国际化标准 ISO". It might be a specific config key. I will translate literally but ensure flow. "resetting its Internationalization (ISO) standard". 一旦解除了这些限制，攻击者可以访问任意 Java 类，包括 java.lang.Runtime。 Translation: Once these restrictions are lifted, attackers can access arbitrary Java classes, including . 攻击者可以在应用程序过程中执行任意系统命令，例如 dotCMS 或 Tomcat 用户。 Translation: Attackers can execute arbitrary system commands within the application process, for example, as the dotCMS or Tomcat user. CVSS：4.0/AV:N/AC:L/AT:N/PR:L/UI:R/V：H/VI：H/VA：H Translation: CVSS: 4.0/AV:N/AC:L/AT:N/PR:L/UI:R/V:H/VI:H/VA:H (Keep format consistent). Mitigation (缓解措施): 修复版本问题修复：新 LTS 以及 Evergreen（EG）。也回溯到 LTS 24.12.27 和 25.07.10 版本。 Translation: Fixed in versions: New LTS and Evergreen (EG). Also backported to LTS 24.12.27 and 25.07.10 versions. 在修复安装补丁之前，禁用或限制人们访问： Translation: Before installing the patch, disable or restrict access to: /api/vtl/dynamic 端点情况 Translation: endpoint sce

Goal Reached Thanks to every supporter — we hit 100%!

dotCMS Velocity Sandbox Escape via Runtime Reinitialization (CVE-2025-11165)