Home

Description

A remote code execution vulnerability exists where a malicious Raft node can exploit insecure Hessian deserialization within the PD store. The fix enforces IP-based authentication to restrict cluster membership and implements a strict class whitelist to harden the Hessian serialization process against object injection attacks. Users are recommended to upgrade to version 1.7.0, which fixes the issue.

PUBLISHED Reserved 2025-02-17 | Published 2025-12-12 | Updated 2025-12-13 | Assigner apache

Problem types

CWE-502 Deserialization of Untrusted Data

Product status

Default status
unaffected

1.0.0 (maven) before 1.7.0
affected

Credits

shukuang reporter

yulate reporter

X1r0z reporter

haohao0103 remediation developer

References

www.openwall.com/lists/oss-security/2025/12/09/1

github.com/apache/incubator-hugegraph/pull/2735 patch

lists.apache.org/thread/ko8jkwbjbb99m45pg4sgo5xsm8gx9nsq vendor-advisory

cve.org (CVE-2025-26866)

nvd.nist.gov (CVE-2025-26866)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.