Description
Improper control of generation of code ('code injection') in Azure Container Apps allows an unauthorized attacker to execute code over a network.
Published: 2025-12-18
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

Improper control of code generation in Azure Container Apps allows an attacker to inject and execute arbitrary code over the network. The flaw is a classic code injection weakness identified as CWE-94. If successfully exploited the attacker can compromise the container process, altering data, exfiltrating information, or causing service disruptions.

Affected Systems

Microsoft Azure Container Apps is affected. No specific version information is disclosed; all deployments of Azure Container Apps are potentially vulnerable.

Risk and Exploitability

The CVSS score of 10 indicates the vulnerability is critical. Although the EPSS score is below 1%, suggesting currently low exploitation likelihood, the lack of a CISA KEV listing does not mitigate the inherent risk; any successful exploitation grants full control of the container. The attack vector is network‑based, meaning any network traffic to the container could be abused, so containment and patching are urgent.

Generated by OpenCVE AI on April 20, 2026 at 15:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Azure Container Apps to the latest patched version released by Microsoft.
  • Restrict inbound traffic to the container app to trusted IP ranges or employ network segmentation to limit exposure.
  • Review and harden any code generation logic to ensure untrusted input is not used without strict validation or sanitization.

Generated by OpenCVE AI on April 20, 2026 at 15:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 15 Jan 2026 22:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:microsoft:azure_container_apps:-:*:*:*:*:*:*:*

Fri, 19 Dec 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 18 Dec 2025 22:15:00 +0000

Type Values Removed Values Added
Description Improper control of generation of code ('code injection') in Azure Container Apps allows an unauthorized attacker to execute code over a network.
Title Azure Container Apps Remote Code Execution Vulnerability
First Time appeared Microsoft
Microsoft azure Container Apps
Weaknesses CWE-94
CPEs cpe:2.3:a:microsoft:azure_container_apps:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft azure Container Apps
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Azure Container Apps
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-04-16T14:19:05.350Z

Reserved: 2025-11-13T16:18:07.466Z

Link: CVE-2025-65037

cve-icon Vulnrichment

Updated: 2025-12-19T15:10:37.271Z

cve-icon NVD

Status : Analyzed

Published: 2025-12-18T22:16:01.433

Modified: 2026-01-15T21:55:28.097

Link: CVE-2025-65037

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T15:45:10Z

Weaknesses