CVE-2025-27531

| EUVD-2025-17317 CRITICAL
2025-06-06 [email protected] GHSA-62gc-8jr5-x9pm
9.8
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Patch Released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 14, 2026 - 18:10 vuln.today
EUVD ID Assigned
Mar 14, 2026 - 18:10 euvd
EUVD-2025-17317
CVE Published
Jun 06, 2025 - 15:15 nvd
CRITICAL 9.8

Tags

Deserialization Apache Java Information Disclosure Inlong

Description

Deserialization of Untrusted Data vulnerability in Apache InLong.  This issue affects Apache InLong: from 1.13.0 before 2.1.0, this issue would allow an authenticated attacker to read arbitrary files by double writing the param. Users are recommended to upgrade to version 2.1.0, which fixes the issue.

Analysis

Critical deserialization of untrusted data vulnerability in Apache InLong versions 1.13.0 through 2.0.x that allows authenticated attackers to read arbitrary files through parameter manipulation ('double writing' the param). With a CVSS 9.8 score and network-based attack vector requiring no user interaction, this represents a high-severity information disclosure risk affecting data ingestion pipeline deployments.

Technical Context

Apache InLong is a data ingestion and integration framework that processes serialized objects during parameter handling. The vulnerability stems from CWE-502 (Deserialization of Untrusted Data), a well-established class affecting Java-based systems that deserialize user-supplied input without proper validation. The 'double writing' technique suggests an attack exploiting parameter manipulation during object deserialization, likely via Java's native serialization mechanisms or similar frameworks. The issue affects the parameter processing layer responsible for handling ingestion configurations, where untrusted serialized data is reconstructed into objects without sanitization. This is typical of frameworks handling complex data transformation pipelines where serialization is used for inter-component communication.

Affected Products

Apache InLong (1.13.0 to 2.0.x (inclusive of all minor/patch versions before 2.1.0))

Remediation

- action: Immediate Upgrade; description: Upgrade Apache InLong to version 2.1.0 or later. This is the vendor-recommended and definitive remediation.; priority: Critical - action: Patch Application; description: Apply security patches from Apache InLong official repository (https://inlong.apache.org/). Verify patch signatures and sources.; priority: Critical - action: Interim Mitigation (if upgrade delayed); description: Implement network segmentation to restrict InLong service access to trusted internal networks only. Enforce strict authentication and audit logging on parameter submission endpoints. Monitor deserialization logs for suspicious object reconstruction patterns.; priority: High - action: Input Validation; description: If source code modifications are possible, implement pre-deserialization validation and use allowlisting for permitted serialized object classes. Disable Java's native serialization if alternative data formats (JSON, Protocol Buffers) are viable.; priority: High - action: Detection; description: Deploy WAF or IDS rules to detect 'double write' parameter manipulation attempts in InLong API calls. Monitor for deserialization gadget chain exploitation patterns.; priority: Medium

Priority Score

49
Low Medium High Critical
KEV: 0
EPSS: +0.5
CVSS: +49
POC: 0

Share

CVE-2025-27531 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy