CVE-2025-32896 | THREATINT

Description

# Summary Unauthorized users can perform Arbitrary File Read and Deserialization attack by submit job using restful api-v1. # Details Unauthorized users can access `/hazelcast/rest/maps/submit-job` to submit job. An attacker can set extra params in mysql url to perform Arbitrary File Read and Deserialization attack. This issue affects Apache SeaTunnel: <=2.3.10 # Fixed Users are recommended to upgrade to version 2.3.11, and enable restful api-v2 & open https two-way authentication , which fixes the issue.

PUBLISHED Reserved 2025-04-12 | Published 2025-06-19 | Updated 2025-06-20 | Assigner apache

Problem types

CWE-306 Missing Authentication for Critical Function

Product status

Default status

unaffected

2.3.1 (semver)

affected

Credits

Owen Amadeus reporter

liyiwei reporter

References

www.openwall.com/lists/oss-security/2025/04/12/1

lists.apache.org/thread/qvh3zyt1jr25rgvw955rb8qjrnbxfro9 vendor-advisory

github.com/apache/seatunnel/pull/9010 patch

cve.org (CVE-2025-32896)

nvd.nist.gov (CVE-2025-32896)

Download JSON