CVE-2025-2180 Checkov by Prisma Cloud: Unsafe Deserialization of Terraform Files Allows Code Execution
Description
An unsafe deserialization vulnerability in Palo Alto Networks Checkov by Prisma® Cloud allows an authenticated user to execute arbitrary code as a non administrative user by scanning a malicious terraform file when using Checkov in Prisma® Cloud.
This issue impacts Checkov 3.0 versions earlier than Checkov 3.2.415.
Product Status
| Versions | Affected | Unaffected |
|---|---|---|
| Checkov by Prisma Cloud 3.2.0 | < 3.2.415 | >= 3.2.415 |
Required Configuration for Exposure
No special configuration is required to be vulnerable to this issue.
Severity: LOW, Suggested Urgency: MODERATE
If the user scans infrastructure as code (IaC) files from untrusted sources.
LOW
- CVSS-BT: 1.1 /CVSS-B: 4.8 (CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L/E:U/AU:N/R:U/V:D/RE:M/U:Amber)
Exploitation Status
Palo Alto Networks is not aware of any malicious exploitation of this issue.
Weakness Type and Impact
CWE-502 Deserialization of Untrusted Data
Solution
| Version | Minor Version | Suggested Solution |
|---|---|---|
| Checkov by Prisma Cloud 3.2 |
3.2.0 through 3.2.414 | Upgrade to 3.2.415 or later. |
Workarounds and Mitigations
Do not run Checkov on terraform files from untrusted sources or pull requests.
Acknowledgments
CPE Applicability
- cpe:2.3:a:palo_alto_networks:checkov_by_prisma_cloud:*:*:*:*:*:*:*:* is vulnerable from (including)3.2.0 and up to (excluding)3.2.415