Oracle GraalVM for JDK 17.0.16/21.0.8 Compiler information disclosure

Summaryinfo

A vulnerability marked as problematic has been reported in Oracle GraalVM for JDK 17.0.16/21.0.8. Affected by this issue is some unknown functionality of the component Compiler. The manipulation leads to information disclosure. This vulnerability is referenced as CVE-2025-61755. Remote exploitation of the attack is possible. No exploit is available. It is suggested to upgrade the affected component.

Detailsinfo

A vulnerability was found in Oracle GraalVM for JDK 17.0.16/21.0.8. It has been rated as problematic. This issue affects an unknown code of the component Compiler. The manipulation with an unknown input leads to a information disclosure vulnerability. Using CWE to declare the problem leads to CWE-200. The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. Impacted is confidentiality. The summary by CVE is:

Vulnerability in the Oracle GraalVM for JDK product of Oracle Java SE (component: Compiler). Supported versions that are affected are Oracle GraalVM for JDK: 17.0.16 and 21.0.8. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle GraalVM for JDK. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle GraalVM for JDK accessible data. CVSS 3.1 Base Score 3.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).

The advisory is shared at oracle.com. The identification of this vulnerability is CVE-2025-61755 since 09/30/2025. The exploitation is known to be difficult. The attack may be initiated remotely. No form of authentication is needed for a successful exploitation. Neither technical details nor an exploit are publicly available. The price for an exploit might be around USD $0-$5k at the moment (estimation calculated on 06/11/2026). MITRE ATT&CK project uses the attack technique T1592 for this issue.

Upgrading eliminates this vulnerability.

The vulnerability is also documented in the vulnerability database at CERT Bund (WID-SEC-2025-2365). If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Affected

• IBM MQ
• NetApp ActiveIQ Unified Manager
• IBM SPSS
• Hitachi Command Suite
• Hitachi Ops Center
• IBM TXSeries
• IBM Sterling Connect:Direct
• IBM DB2
• IBM Rational Application Developer for WebSphere Software
• Oracle Java SE
• Amazon Corretto
• IBM Java
• IBM Semeru Runtime
• IBM Tivoli Netcool/OMNIbus
• Dell NetWorker
• Open Source Camunda
• RealObjects PDFreactor
• IBM License Metric Tool
• IBM DataPower Gateway
• IBM Security Verify Access
• IBM Rational Software Architect
• IBM Cognos Analytics
• Debian Linux
• Amazon Linux 2
• IBM InfoSphere Information Server
• Open Source OpenJDK
• Red Hat Enterprise Linux
• IBM WebSphere Application Server
• Ubuntu Linux
• SUSE Linux
• Oracle Linux
• IBM Tivoli Monitoring
• IBM Integration Bus
• IBM Tivoli Network Manager
• IBM Tivoli Business Service Manager
• IBM Business Automation Workflow
• Hitachi Configuration Manager
• IBM QRadar SIEM
• IBM Rational Business Developer
• IBM Tivoli Key Lifecycle Manager
• SUSE openSUSE
• RESF Rocky Linux
• IBM App Connect Enterprise
• Xerox FreeFlow Print Server

Productinfo

Type

• Programming Tool Software

Vendor

• Oracle

Name

• GraalVM for JDK

Version

• 17.0.16
• 21.0.8

License

• commercial

Website

• Vendor: https://www.oracle.com

CPE 2.3info

• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Discussion