Security bulletins

The following describes all security bulletins related to Application Integration.

GCP-2026-044

Published: 2026-06-25

Description	Severity	Notes
A vulnerability was detected in Application Integration's JavaScript task, which was using the Rhino JavaScript engine. This only impacted tasks published before January 2025. What should I do? Google has transitioned to the more secure V8 JavaScript engine for JavaScript tasks in Application Integration. Since January 2025, all newly published integrations use the V8 engine, and as of March 30, 2026, the Rhino engine has been fully deprecated. Executions using the Rhino engine are also now blocked. If you have integrations published before January 2025, review your JavaScript tasks to confirm none still rely on the Rhino engine. Any task still configured to use Rhino will no longer execute and must be migrated to the V8 engine. For migration steps, see Migrate JavaScript tasks. What vulnerabilities are being addressed? The vulnerability, CVE-2025-0982, allowed a user with authorization to author and run JavaScript tasks to execute arbitrary code within the Application Integration execution environment. The JavaScript task previously used the Rhino JavaScript engine to run user-supplied JavaScript. Rhino permitted the use of Java reflection and the modification of in-memory permission objects, which could be combined to bypass the Java security manager and escape the intended execution sandbox. Google remediated this by moving to the V8 JavaScript engine in January 2025 and fully deprecating and blocking the Rhino engine on March 30, 2026.	High	CVE-2025-0982

Description

Severity

Notes

A vulnerability was detected in Application Integration's JavaScript task, which was using the Rhino JavaScript engine. This only impacted tasks published before January 2025.

What should I do?

Google has transitioned to the more secure V8 JavaScript engine for JavaScript tasks in Application Integration. Since January 2025, all newly published integrations use the V8 engine, and as of March 30, 2026, the Rhino engine has been fully deprecated. Executions using the Rhino engine are also now blocked.

If you have integrations published before January 2025, review your JavaScript tasks to confirm none still rely on the Rhino engine. Any task still configured to use Rhino will no longer execute and must be migrated to the V8 engine. For migration steps, see Migrate JavaScript tasks.

What vulnerabilities are being addressed?

The vulnerability, CVE-2025-0982, allowed a user with authorization to author and run JavaScript tasks to execute arbitrary code within the Application Integration execution environment.

The JavaScript task previously used the Rhino JavaScript engine to run user-supplied JavaScript. Rhino permitted the use of Java reflection and the modification of in-memory permission objects, which could be combined to bypass the Java security manager and escape the intended execution sandbox. Google remediated this by moving to the V8 JavaScript engine in January 2025 and fully deprecating and blocking the Rhino engine on March 30, 2026.

High

CVE-2025-0982