CVE-2025-58337 | THREATINT

Description

An attacker with a valid read-only account can bypass Doris MCP Server’s read-only mode due to improper access control, allowing modifications that should have been prevented by read-only restrictions. Impact: Bypasses read-only mode; attackers with read-only access may perform unauthorized modifications. Recommended action for operators: Upgrade to version 0.6.0 as soon as possible (this release contains the fix).

PUBLISHED Reserved 2025-08-29 | Published 2025-11-05 | Updated 2025-11-06 | Assigner apache

Problem types

CWE-284 Improper Access Control

Product status

Default status

unaffected

0.1.0 (semver) before 0.6.0

affected

Credits

Liran Tal, (liran@lirantal.com) finder

References

www.openwall.com/lists/oss-security/2025/11/04/5

lists.apache.org/thread/6tswlphj0pqn9zf25594r3c1vzvfj40h vendor-advisory

cve.org (CVE-2025-58337)

nvd.nist.gov (CVE-2025-58337)

Download JSON