CVE-2025-27107: Integrated Scripting vulnerable to arbitrary code execution via Java reflection

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2025-27107

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

Integrated Scripting vulnerable to arbitrary code execution via Java reflection

Source: NVD (National Vulnerability Database)

Vulnerability Description

Integrated Scripting is a tool for creating scripts for handling complex operations in Integrated Dynamics. Minecraft users who use Integrated Scripting prior to versions 1.21.1-1.0.17, 1.21.4-1.0.9-254, 1.20.1-1.0.13, and 1.19.2-1.0.10 may be vulnerable to arbitrary code execution. By using Java reflection on a thrown exception object it's possible to escape the JavaScript sandbox for IntegratedScripting's Variable Cards, and leverage that to construct arbitrary Java classes and invoke arbitrary Java methods. This vulnerability allows for execution of arbitrary Java methods, and by extension arbitrary native code e.g. from `java.lang.Runtime.exec`, on the Minecraft server by any player with the ability to create and use an IntegratedScripting Variable Card. Versions 1.21.1-1.0.17, 1.21.4-1.0.9-254, 1.20.1-1.0.13, and 1.19.2-1.0.10 fix the issue.

Source: NVD (National Vulnerability Database)

CVSS Information

N/A

Source: NVD (National Vulnerability Database)

Vulnerability Type

输出中的特殊元素转义处理不恰当(注入)

Source: NVD (National Vulnerability Database)

Vulnerability Title

IntegratedScripting 注入漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

IntegratedScripting是Cyclops开源的一个在集成动力学中创建用于处理复杂操作的脚本。 IntegratedScripting存在注入漏洞，该漏洞源于通过Java反射在抛出的异常对象上逃逸JavaScript沙箱，从而构造任意Java类并调用任意Java方法，可能导致任意代码执行。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
CyclopsMC	IntegratedScripting	< 1.21.1-1.0.17	-

II. Public POCs for CVE-2025-27107

#	POC Description	Source Link	Shenlong Link

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2025-27107

Please Login to view more intelligence information

IV. Related Vulnerabilities

Same weakness: CWE-74

V. Comments for CVE-2025-27107

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

I. Basic Information for CVE-2025-27107

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2025-27107

III. Intelligence Information for CVE-2025-27107

IV. Related Vulnerabilities

V. Comments for CVE-2025-27107

Leave a comment