Which versions of Apache Ignite are affected by CVE-2025-48977?

Apache Ignite versions 2.0.0-2.17.0 contain a path traversal vulnerability in the REST API that allows authenticated users to read arbitrary files from affected servers, including configuration…

How to fix or mitigate CVE-2025-48977?

Within 24 hours: Inventory all systems running Apache Ignite 2.0.0-2.17.0 and determine whether the REST API is enabled; if enabled, audit which users and services have access. Within 7 days: Restrict REST API access through network segmentation or API-level authentication controls; disable the REST API entirely if not operationally required. Within 30 days: Monitor Apache security advisories for a patched version release and plan an upgrade to a version newer than 2.17.0 once available.

Apache Ignite CVE-2025-48977

Q: What is the CVSS score of CVE-2025-48977?

CVE-2025-48977 has a CVSS 4.0 base score of 8.5 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.

HIGH

Relative Path Traversal (CWE-23)

2026-05-28 security@apache.org

Apache Path Traversal

8.5

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

May 28, 2026 - 10:30 vuln.today

CVE Published

May 28, 2026 - 10:16 nvd

HIGH 8.5

DescriptionNVD

Relative Path Traversal vulnerability in Apache Ignite REST API.

Authenticated REST API users can read any file on the server with "cmd=log" command and a log path crafted in a certain way. This issue affects Apache Ignite: from 2.0.0 through 2.17.0.

Users are recommended to upgrade to version 2.18.0, which fixes the issue.

AnalysisAI

Path traversal in Apache Ignite 2.0.0 through 2.17.0 lets authenticated REST API users read arbitrary files on the server by abusing the 'cmd=log' command with a crafted log path parameter. The flaw allows any low-privileged API user to escape the intended log directory and access sensitive files such as configuration, credentials, or keystores, with no public exploit identified at time of analysis.

Technical ContextAI

Apache Ignite is a distributed in-memory computing and caching platform whose embedded REST API exposes administrative commands including 'cmd=log' for retrieving log file contents. The root cause maps to CWE-23 (Relative Path Traversal), meaning the handler that resolves the log path parameter fails to canonicalize or constrain the value to the log directory, so sequences such as '../' allow the resolved path to traverse outside the intended root. Because the REST endpoint runs with the privileges of the Ignite node process - typically a service account with broad read access to its working tree, configuration directory, and JVM environment - the traversal exposes any file readable by that process.

Affected ProductsAI

Apache Ignite versions 2.0.0 through 2.17.0 inclusive are affected on any platform that exposes the REST API. The fix is shipped in Apache Ignite 2.18.0, and the vendor advisory is published on the Apache mailing list at https://lists.apache.org/thread/hgct6918sowd8l58yjohryhpxx81t4n1. No CPE strings were provided in the source data, so exact build-level CPE matching should be confirmed against the NVD entry once published.

RemediationAI

Vendor-released patch: Apache Ignite 2.18.0 - upgrade all cluster nodes to 2.18.0 or later as the primary remediation, following the advisory at https://lists.apache.org/thread/hgct6918sowd8l58yjohryhpxx81t4n1. Where immediate upgrade is not possible, restrict network access to the Ignite REST API (default TCP/8080 for the HTTP connector) to trusted management hosts only via firewall or service mesh policy, rotate and tighten REST API credentials so PR:L access is not widely granted, and consider disabling the HTTP REST connector entirely in ignite-config if applications do not depend on it - note that disabling REST will break any tooling or monitoring that uses the 'cmd=' interface. Running the Ignite process as an unprivileged user with a minimal readable filesystem footprint reduces the value of any file read but does not close the underlying flaw.