CVE-2025-27528
Last modified
CVE-2025-27528 is a critical-severity vulnerability rated 9.1/10 on the CVSS scale. Deserialization of Untrusted Data vulnerability in Apache InLong. This issue affects Apache InLong: from 1.13.0 through 2.1.0. This vulnerability allows attackers to bypass the security mechanisms of InLong JDBC and leads to arbitrary file reading. Users are advised to upgrade to Apache InLong's 2.2.0 or cherry-pick [1] to solve it. [1] https://github.com/apache/inlong/pull/11747. EPSS estimates a 0.58% chance of exploitation in the next 30 days.
Description
Deserialization of Untrusted Data vulnerability in Apache InLong. This issue affects Apache InLong: from 1.13.0 through 2.1.0. This vulnerability allows attackers to bypass the security mechanisms of InLong JDBC and leads to arbitrary file reading. Users are advised to upgrade to Apache InLong's 2.2.0 or cherry-pick [1] to solve it. [1] https://github.com/apache/inlong/pull/11747
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Apache | Inlong | >= 1.13.0, < 2.2.0 |
References
- https://github.com/apache/inlong/pull/11747Issue Tracking
- http://www.openwall.com/lists/oss-security/2025/05/28/3Mailing List, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2025-27528?
How severe is CVE-2025-27528?
How do I fix CVE-2025-27528?
Are you affected by CVE-2025-27528?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST