CVE-2025-24404 | THREATINT

Description

XML Injection RCE by parse http sitemap xml response vulnerability in Apache HertzBeat. The attacker needs to have an authenticated account with access, and add monitor parsed by xml, returned special content can trigger the XML parsing vulnerability. This issue affects Apache HertzBeat (incubating): before 1.7.0. Users are recommended to upgrade to version 1.7.0, which fixes the issue.

PUBLISHED Reserved 2025-01-21 | Published 2025-09-09 | Updated 2025-09-10 | Assigner apache

Problem types

CWE-91 XML Injection (aka Blind XPath Injection)

Product status

Default status

unaffected

Any version before 1.7.0

affected

Credits

unam4 finder

springkill finder

Zoiltin finder

References

lists.apache.org/thread/4ydy3tqbpwmhl79mcj3pxwqz62nggrfd vendor-advisory

cve.org (CVE-2025-24404)

nvd.nist.gov (CVE-2025-24404)

Download JSON