Spotfire Security Advisory: April 08, 2025: Spotfire - CVE-2025-3115

Spotfire Data Function Vulnerability

Original release date: April 08, 2025
Last revised: —
CVE-2025-3115
Source: Cloud Software Group Inc.

Description

Vulnerabilities have been identified in Spotfire's Data Functions, which could allow attackers to exploit the system in various ways.
Injection Vulnerabilities: Attackers can inject malicious code, potentially gaining control over the system executing these functions.
Additionally, insufficient validation of filenames during file uploads can enable attackers to upload and execute malicious files, leading to arbitrary code execution.

Impact

Successful exploitation of these vulnerabilities within Data Functions could allow an attacker to inject malicious code, gain control over the execution environment, and execute arbitrary files through improperly validated file uploads.

CVSS v4.0 Base Score: 9.4 (Critical)
(CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H)

Products Affected

• Spotfire Statistics Services 14.0.6 and earlier
• Spotfire Statistics Services 14.1.0, 14.2.0, 14.3.0, 14.4.0, 14.4.1
• Spotfire Enterprise Runtime for R - Server Edition 1.17.6 and earlier
• Spotfire Enterprise Runtime for R - Server Edition 1.18.0, 1.19.0, 1.20.0, 1.21.0, 1.21.1
• Spotfire Service for Python 1.17.6 and earlier
• Spotfire Service for Python 1.18.0, 1.19.0, 1.20.0, 1.21.0, 1.21.1
• Spotfire Service for R 1.17.6 and earlier
• Spotfire Service for R 1.18.0, 1.19.0, 1.20.0, 1.21.0, 1.21.1
• Spotfire Analyst 14.0.5 and earlier
• Spotfire Analyst 14.1.0, 14.2.0, 14.3.0, 14.4.0, 14.4.1
• Deployment Kit used in Spotfire Server 14.0.6 and earlier
• Deployment Kit used in Spotfire Server 14.1.0, 14.2.0, 14.3.0, 14.4.0, 14.4.1
• Spotfire Desktop 14.4.1 and earlier
• Spotfire for AWS Marketplace 14.4.1 and earlier

Cloud Software Group has released updated versions of the affected systems which address this issue:

• Spotfire Statistics Services 14.0.6 and earlier: upgrade to version 14.0.7 or higher
• Spotfire Statistics Services 14.1.0, 14.2.0, 14.3.0, 14.4.0, 14.4.1: upgrade to version 14.4.2 or higher
• Spotfire Enterprise Runtime for R - Server Edition 1.17.6 and earlier: upgrade to version 1.17.7 or higher
• Spotfire Enterprise Runtime for R - Server Edition 1.18.0, 1.19.0, 1.20.0, 1.21.0, 1.21.1: upgrade to version 1.22.2 or higher
• Spotfire Service for Python 1.17.6 and earlier: upgrade to version 1.17.7 or higher
• Spotfire Service for Python 1.18.0, 1.19.0, 1.20.0, 1.21.0, 1.21.1: upgrade to version 1.22.2 or higher
• Spotfire Service for R 1.17.6 and earlier: upgrade to version 1.17.7 or higher
• Spotfire Service for R 1.18.0, 1.19.0, 1.20.0, 1.21.0, 1.21.1: upgrade to version 1.22.2 or higher
• Spotfire Analyst 14.0.5 and earlier: upgrade to version 14.0.6 or higher
• Spotfire Analyst 14.1.0, 14.2.0, 14.3.0, 14.4.0, 14.4.1: upgrade to version 14.4.2 or higher
• Deployment Kit used in Spotfire Server 14.0.6 and earlier: apply Deployment Kit in Spotfire Server version 14.0.7 or higher
• Deployment Kit used in Spotfire Server 14.1.0, 14.2.0, 14.3.0, 14.4.0, 14.4.1: apply Deployment Kit in Spotfire Server version 14.4.2 or higher
• Spotfire Desktop 14.4.1 and earlier: upgrade to version 14.4.2 or higher
• Spotfire for AWS Marketplace 14.4.1 and earlier: upgrade to version 14.4.2 or higher

Spotfire Data Function Vulnerability

https://community.spotfire.com/articles/spotfire/spotfire-security-advisory-april-08-2025-spotfire-cve-2025-3115-r3485/