{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-65037", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "state": "PUBLISHED", "assignerShortName": "microsoft", "dateReserved": "2025-11-13T16:18:07.466Z", "datePublished": "2025-12-18T22:02:06.737Z", "dateUpdated": "2026-04-16T14:19:05.350Z"}, "containers": {"cna": {"title": "Azure Container Apps Remote Code Execution Vulnerability", "datePublic": "2025-12-18T08:00:00.000Z", "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:azure_container_apps:*:*:*:*:*:*:*:*", "versionStartIncluding": "-"}]}]}], "affected": [{"vendor": "Microsoft", "product": "Azure Container Apps", "versions": [{"version": "-", "status": "affected"}]}], "descriptions": [{"value": "Improper control of generation of code ('code injection') in Azure Container Apps allows an unauthorized attacker to execute code over a network.", "lang": "en-US"}], "problemTypes": [{"descriptions": [{"description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", "lang": "en-US", "type": "CWE", "cweId": "CWE-94"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-04-16T14:19:05.350Z"}, "references": [{"name": "Azure Container Apps Remote Code Execution Vulnerability", "tags": ["vendor-advisory", "patch"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-65037"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "baseSeverity": "CRITICAL", "baseScore": 10, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C"}}], "tags": ["exclusively-hosted-service"]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-65037", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-12-20T04:56:21.095429Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T16:07:26.165Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-65037", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-12-20T04:56:21.095429Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-19T15:10:37.271Z"}}], "cna": {"tags": ["exclusively-hosted-service"], "title": "Azure Container Apps Remote Code Execution Vulnerability", "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 10, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}], "affected": [{"vendor": "Microsoft", "product": "Azure Container Apps", "versions": [{"status": "affected", "version": "-"}]}], "datePublic": "2025-12-18T08:00:00.000Z", "references": [{"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-65037", "name": "Azure Container Apps Remote Code Execution Vulnerability", "tags": ["vendor-advisory", "patch"]}], "descriptions": [{"lang": "en-US", "value": "Improper control of generation of code ('code injection') in Azure Container Apps allows an unauthorized attacker to execute code over a network."}], "problemTypes": [{"descriptions": [{"lang": "en-US", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:azure_container_apps:*:*:*:*:*:*:*:*", "vulnerable": true, "versionStartIncluding": "-"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-02-20T15:59:41.936Z"}}}, "cveMetadata": {"cveId": "CVE-2025-65037", "state": "PUBLISHED", "dateUpdated": "2026-02-26T16:07:26.165Z", "dateReserved": "2025-11-13T16:18:07.466Z", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "datePublished": "2025-12-18T22:02:06.737Z", "assignerShortName": "microsoft"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:azure_container_apps:-:*:*:*:*:*:*:*", "matchCriteriaId": "6C0A8A8E-92CD-4FD8-B498-849CBCE0075C", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [{"sourceIdentifier": "secure@microsoft.com", "tags": ["exclusively-hosted-service"]}], "descriptions": [{"lang": "en", "value": "Improper control of generation of code ('code injection') in Azure Container Apps allows an unauthorized attacker to execute code over a network."}], "id": "CVE-2025-65037", "lastModified": "2026-01-15T21:55:28.097", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 6.0, "source": "secure@microsoft.com", "type": "Secondary"}]}, "published": "2025-12-18T22:16:01.433", "references": [{"source": "secure@microsoft.com", "tags": ["Vendor Advisory"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-65037"}], "sourceIdentifier": "secure@microsoft.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "secure@microsoft.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T15:38:16.968781+00:00", "value": {"mitigation_remediation": ["Update Azure Container Apps to the latest patched version released by Microsoft.", "Restrict inbound traffic to the container app to trusted IP ranges or employ network segmentation to limit exposure.", "Review and harden any code generation logic to ensure untrusted input is not used without strict validation or sanitization."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Microsoft Azure Container Apps is affected. No specific version information is disclosed; all deployments of Azure Container Apps are potentially vulnerable.", "description_and_impact": "Improper control of code generation in Azure Container Apps allows an attacker to inject and execute arbitrary code over the network. The flaw is a classic code injection weakness identified as CWE-94. If successfully exploited the attacker can compromise the container process, altering data, exfiltrating information, or causing service disruptions.", "risk_and_exploitability": "The CVSS score of 10 indicates the vulnerability is critical. Although the EPSS score is below 1%, suggesting currently low exploitation likelihood, the lack of a CISA KEV listing does not mitigate the inherent risk; any successful exploitation grants full control of the container. The attack vector is network\u2011based, meaning any network traffic to the container could be abused, so containment and patching are urgent."}}}}, "created": "2026-04-20T15:45:10.379983+00:00", "updated": "2026-04-20T15:45:10.379994+00:00", "vendors": []}