Home

Description

Deserialization of Untrusted Data vulnerability in Apache InLong. This issue affects Apache InLong: from 1.13.0 through 2.1.0. This vulnerability allows attackers to bypass the security mechanisms of InLong JDBC and leads to arbitrary file reading. Users are advised to upgrade to Apache InLong's 2.2.0 or cherry-pick [1] to solve it. [1] https://github.com/apache/inlong/pull/11747

PUBLISHED Reserved 2025-02-27 | Published 2025-05-28 | Updated 2025-05-28 | Assigner apache

Problem types

CWE-502 Deserialization of Untrusted Data

Product status

Default status
unaffected

1.13.0 (semver)
affected

Credits

yulat finder

m4x finder

h3h3qaq finder

References

www.openwall.com/lists/oss-security/2025/05/28/3

lists.apache.org/thread/b807rqzgyv4qgvxw3nhkq8tl6g90gqgj vendor-advisory

github.com/apache/inlong/pull/11747 patch

cve.org (CVE-2025-27528)

nvd.nist.gov (CVE-2025-27528)

Download JSON