What is the CVSS score of EUVD-2025-18684?

EUVD-2025-18684 has a CVSS 3.1 base score of 6.5 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. EPSS exploitation probability: 0.2%.

Which versions of Seatunnel are affected by EUVD-2025-18684?

CVE-2025-32896 presents notable security risk, a missing authentication vulnerability rated CVSS 6.5. This could allow unauthorized access to protected resources.. A patch is available.

How to fix or mitigate EUVD-2025-18684?

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Audit authentication configurations.

Seatunnel EUVD-2025-18684

| CVE-2025-32896 MEDIUM

Missing Authentication for Critical Function (CWE-306)

2025-06-19 security@apache.org

GHSA-9x53-gr7p-4qf5

Apache Deserialization Authentication Bypass Seatunnel

6.5

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

6.5 MEDIUM

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

EUVD ID Assigned

Mar 15, 2026 - 00:08 euvd

EUVD-2025-18684

Analysis Generated

Mar 15, 2026 - 00:08 vuln.today

Patch released

Mar 15, 2026 - 00:08 nvd

Patch available

CVE Published

Jun 19, 2025 - 11:15 nvd

MEDIUM 6.5

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

7 maven packages depend on org.apache.seatunnel:seatunnel-engine-common (1 direct, 6 indirect)
4 maven packages depend on org.apache.seatunnel:seatunnel-engine-server (4 direct, 0 indirect)

Ecosystem-wide dependent count for version 2.3.11 and other introduced versions.

DescriptionCVE.org

Summary

Unauthorized users can perform Arbitrary File Read and Deserialization attack by submit job using restful api-v1.

Details

Unauthorized users can access /hazelcast/rest/maps/submit-job to submit job. An attacker can set extra params in mysql url to perform Arbitrary File Read and Deserialization attack.

This issue affects Apache SeaTunnel: <=2.3.10

Fixed

Users are recommended to upgrade to version 2.3.11, and enable restful api-v2 & open https two-way authentication , which fixes the issue.

Analysis

Summary

Unauthorized users can perform Arbitrary File Read and Deserialization attack by submit job using restful api-v1.

Details

Unauthorized users can access /hazelcast/rest/maps/submit-job to submit job. An attacker can set extra params in mysql url to perform Arbitrary File Read and Deserialization attack.

This issue affects Apache SeaTunnel: <=2.3.10

Fixed

Users are recommended to upgrade to version 2.3.11, and enable restful api-v2 & open https two-way authentication , which fixes the issue.

Technical ContextAI

An authentication bypass vulnerability allows attackers to circumvent login mechanisms and gain unauthorized access without valid credentials. This vulnerability is classified as Missing Authentication for Critical Function (CWE-306).

RemediationAI

A vendor patch is available — apply it immediately. Implement robust authentication mechanisms. Use multi-factor authentication. Review authentication logic for bypass conditions. Remove default credentials.

EUVD-2025-18684 vulnerability details – vuln.today

Back

Seatunnel EUVD-2025-18684

Severity by source

CVSS VectorNVD

Lifecycle Timeline

Blast Radius

DescriptionCVE.org

Summary

Details

Fixed

Analysis

Summary

Details

Fixed

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code