The Apache CloudStack project announced today the release of LTS versions 4.20.2.0 and 4.22.0.0, which address CVE-2025-59302 and CVE-2025-59454 – both low-severity vulnerabilities affecting CloudStack users as described below.
CVE-2025-59302: Exposure of Sensitive Information to an Unauthorised Actor
In Apache CloudStack, improper control of generation of code (‘Code Injection’) vulnerability is found in the following APIs which are accessible only to admins.
– quotaTariffCreate
– quotaTariffUpdate
– createSecondaryStorageSelector
– updateSecondaryStorageSelector
– updateHost
– updateStorage
The fix introduces a new global configuration flag, js.interpretation.enabled, allowing administrators to control the interpretation of JavaScript expressions in these APIs, thereby mitigating the code injection risk.
CVE-2025-59454: Exposure of Sensitive Information to an Unauthorised Actor
In Apache CloudStack, a gap in access control checks affected the APIs
– createNetworkACL
– listNetworkACLs
– listResourceDetails
– listVirtualMachinesUsageHistory
– listVolumesUsageHistory
While these APIs were accessible only to authorised users, insufficient permission validation meant that users could occasionally access information beyond their intended scope.
Affected Versions
CVE-2025-59302: Apache CloudStack 4.18.0.0 through 4.20.1.0 and 4.21.0.0
CVE-2025-59454: Apache CloudStack 4.0.0 through 4.20.1.0 and 4.21.0.0
Resolution
Affected users are recommended to upgrade to version 4.20.2.0, 4.22.0.0 or later, which addresses these issues.
Release Notes
The 4.20.2.0 and 4.22.0.0 release notes can be found at:
https://docs.cloudstack.apache.org/en/4.20.2.0/releasenotes/about.html
https://docs.cloudstack.apache.org/en/4.22.0.0/releasenotes/about.html
Ivet Petrova is the Marketing Director of ShapeBlue. She is responsible for strengthening ShapeBlue’s global brand and market awareness of ShapeBlue’s services. Specifically, Ivet’s team is responsible for brand, advertising, content and digital marketing, social media, and media relations.
Ivet is also an active member of the CloudStack community, working on increasing the awareness of the technology and showing its benefits to a wider market.
Ivet has 13+ years of experience in marketing for IT service providers including a number of cloud and hosting providers, storage companies, SaaS providers and software development companies. She holds a Masters degree in Marketing.
Away from work, Ivet is passionate about travelling around the world and exploring new cultures.
