ghsa-776q-jw43-fhjx
Vulnerability from github
Published
2025-09-24 09:30
Modified
2025-09-27 02:28
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
9.3 (Critical) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
9.3 (Critical) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Summary
Apache IoTDB: Deserialization of untrusted Data
Details
Summary
Apache IoTDB deserializes data from external inputs without sufficient validation, allowing attacker-controlled serialized objects to be processed. In environments where a compatible gadget chain is reachable, this can be abused to execute arbitrary code or alter server state; at minimum it enables high-impact integrity and confidentiality compromise on the IoTDB process.
Affected
Apache IoTDB from 1.0.0 before 2.0.5.
Remediation
Upgrade to 2.0.5, which addresses the flaw. If immediate upgrade is not possible, restrict exposure of IoTDB endpoints to trusted networks and disable or sanitize any feature paths that accept serialized payloads. These mitigations are defense-in-depth only; upgrading to 2.0.5 is the definitive fix.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.iotdb:iotdb-confignode"
},
"ranges": [
{
"events": [
{
"introduced": "1.0.0"
},
{
"fixed": "2.0.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-48459"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": true,
"github_reviewed_at": "2025-09-24T18:58:41Z",
"nvd_published_at": "2025-09-24T08:15:32Z",
"severity": "CRITICAL"
},
"details": "### Summary\n\nApache IoTDB deserializes data from external inputs without sufficient validation, allowing attacker-controlled serialized objects to be processed. In environments where a compatible gadget chain is reachable, this can be abused to execute arbitrary code or alter server state; at minimum it enables high-impact integrity and confidentiality compromise on the IoTDB process.\n\n### Affected\n\nApache IoTDB **from 1.0.0 before 2.0.5**.\n\n### Remediation\n\nUpgrade to **2.0.5**, which addresses the flaw. If immediate upgrade is not possible, restrict exposure of IoTDB endpoints to trusted networks and disable or sanitize any feature paths that accept serialized payloads. These mitigations are defense-in-depth only; upgrading to 2.0.5 is the definitive fix.",
"id": "GHSA-776q-jw43-fhjx",
"modified": "2025-09-27T02:28:53Z",
"published": "2025-09-24T09:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48459"
},
{
"type": "WEB",
"url": "https://github.com/apache/iotdb/commit/5ad4a940ed84abca27c7e8be86cb371a49900491"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-776q-jw43-fhjx"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/iotdb"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/mr84n19nv8d0bmcrfsj3mm5ff5qn4q2f"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Apache IoTDB: Deserialization of untrusted Data"
}
Loading...
Loading...
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.