CRITICALCVE-2025-59059CVSS 9.8

CVE-2025-59059: RCE in Apache Ranger Plugins Common

Platform

java

Component

org.apache.ranger:ranger-plugins-common

Fixed in

2.7.1

2.8.0

AI Confidence: highNVDEPSS 0.4%Reviewed: May 2026

View on NVD

Save

A critical Remote Code Execution (RCE) vulnerability (CVE-2025-59059) has been identified in Apache Ranger Plugins Common versions up to 2.7.0. This vulnerability resides within the NashornScriptEngineCreator component and allows attackers to potentially execute arbitrary code on affected systems. Users are strongly advised to upgrade to version 2.8.0 to address this security risk.

Impact and Attack Scenarios

The NashornScriptEngineCreator component in Apache Ranger Plugins Common is vulnerable to RCE. An attacker could craft malicious scripts that, when processed by the component, would lead to arbitrary code execution on the server. This could grant the attacker complete control over the Ranger server, enabling them to steal sensitive data, modify configurations, or even pivot to other systems within the network. The potential impact is significant, as Ranger is often used to manage and enforce security policies across various data sources, making it a high-value target for attackers. Successful exploitation could lead to widespread data breaches and system compromise.

Exploitation Context

CVE-2025-59059 was published on 2026-03-03. The vulnerability's severity is rated as CRITICAL (CVSS 9.8). There are currently no publicly available proof-of-concept exploits. It is not listed on the CISA KEV catalog as of this writing. The Nashorn scripting engine has been a source of vulnerabilities in the past, highlighting the importance of keeping dependencies up to date.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

Reports3 threat reports

EPSS

0.42% (62% percentile)

CVSS Vector

Affected Software

Componentorg.apache.ranger:ranger-plugins-common

Vendorosv

Affected rangeFixed in

0 – 2.7.02.7.1

—2.8.0

Weakness Classification (CWE)

CWE-94

Timeline

Reserved2025-09-08
Published2026-03-03
Modified2026-03-09
EPSS updated2026-03-23

Mitigation and Workarounds

The primary mitigation for CVE-2025-59059 is to upgrade Apache Ranger Plugins Common to version 2.8.0 or later, which contains the fix. If an immediate upgrade is not feasible due to compatibility issues or downtime constraints, consider implementing temporary workarounds. While no specific WAF rules are readily available, restricting access to the NashornScriptEngineCreator component or implementing strict input validation on any scripts processed by it could reduce the attack surface. Monitor Ranger logs for any suspicious activity related to script execution. After upgrading, confirm the fix by attempting to execute a known malicious script and verifying that it is blocked or handled safely.

How to fix

Upgrade Apache Ranger to version 2.8.0 or higher. This version corrects the remote code execution vulnerability in NashornScriptEngineCreator. Updating is the safest way to mitigate this risk.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2025-59059 — RCE in Apache Ranger Plugins Common?

CVE-2025-59059 is a critical Remote Code Execution vulnerability in Apache Ranger Plugins Common versions up to 2.7.0, allowing attackers to execute arbitrary code.

Am I affected by CVE-2025-59059 in Apache Ranger Plugins Common?

Yes, if you are using Apache Ranger Plugins Common versions 2.7.0 or earlier, you are vulnerable to this RCE.

How do I fix CVE-2025-59059 in Apache Ranger Plugins Common?

Upgrade Apache Ranger Plugins Common to version 2.8.0 or later to remediate the vulnerability.

Is CVE-2025-59059 being actively exploited?

As of now, there are no confirmed reports of active exploitation, but the vulnerability's severity warrants immediate attention.

Where can I find the official Apache Ranger advisory for CVE-2025-59059?

Refer to the Apache Ranger security page for the latest information and advisory: [https://ranger.apache.org/security/](https://ranger.apache.org/security/)

NextGuard

Vulnerabilities

What do these metrics mean?

Attack Vector: Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity: Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required: None — unauthenticated. No login or credentials needed to exploit.
User Interaction: None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope: Unchanged — impact is limited to the vulnerable component itself.
Confidentiality: High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity: High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability: High — complete crash or resource exhaustion. Full denial of service.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free Search CVEs

Java / Maven

Detect this CVE in your project

Upload your pom.xml file and we'll tell you instantly if you're affected.

Upload pom.xmlSupported formats: pom.xml · build.gradle