CVE-2025-61982
An arbitrary code execution vulnerability exists in the Code Stream directive functionality of OpenCFD OpenFOAM 2506. A specially crafted OpenFOAM simulation file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
OpenCFD OpenFOAM 2506
OpenFOAM - https://www.openfoam.com/
7.8 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-94 - Improper Control of Generation of Code (‘Code Injection’)
OpenFOAM is a very popular computation fluid dynamics open-source software, used extensively in academia and the industry.
OpenFOAM takes a specific directory structure as input. Some of the most important files in this directory structure are dictionary files that contain various settings like the total simulation time, the output format, the specific solver to use etc.
The specification for the dictionary file allows for a code directive #codeStream that contains C++ code which will be automatically compiled and executed during simulation. This can include any valid C++ code, even calls to standard functions like system() which can grant an attacker easy access to a remote machine, granting arbitrary code execution.
In the OpenFOAM configuration file, there is the option allowSystemOperations which if set to false, disables the automatic code generation and execution. However, this option is set to true by default and no warning is presented to the user that running a simulation effectively allows arbitrary code execution from an untrusted source. If the option is not present in the configuration file, it still defaults to true, compiling and executing arbitrary code.
controlDict and meshDict are some of the most common dictionary files necessary for a simulation, however OpenFOAM allows for other user supplied dictionaries that can inlude C++ code.
In the OpenFOAM configuration file, make sure that the option allowSystemOperations is set to false. Ex:
allowSystemOperations 0
2025-11-10 - Initial Vendor Contact
2025-11-17 - Vendor Disclosure
2025-11-25 - Bugs Have Been Created in Vendor Bugtracker
2025-12-03 - Vendor Reply
2025-12-08 - Talos Reply
2025-12-11 - Vendor Reply, Fix Suggestions
2025-12-18 - Talos Feedback
2026-02-04 - Status Request to Vendor
2026-02-04 - Vendor Reply
2026-02-11 - Talos Reply, Upcoming Release Date Announced
2026-02-18 - Public Release
Discovered by Dimitrios Tatsis of Cisco Talos.