CVE-2025-56769: Hutool allows remote code execution (RCE) via the QLExpressEngine class

September 26, 2025 (updated November 10, 2025)

An issue was discovered in chinabugotech hutool before 5.8.40 allowing attackers to execute arbitrary expressions that lead to arbitrary method invocation and potentially remote code execution (RCE) via the QLExpressEngine class.

References

github.com/advisories/GHSA-gcfh-36x4-mgj6
github.com/chinabugotech/hutool
github.com/chinabugotech/hutool/commit/3d0d8dea4bc2fac2e9b45dc67244195f30e42e4b
github.com/chinabugotech/hutool/issues/3994
nvd.nist.gov/vuln/detail/CVE-2025-56769

Code Behaviors & Features

Detect and mitigate CVE-2025-56769 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →