Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2Blast Radius
ecosystem impact- 50 maven packages depend on org.apache.ignite:ignite-core (45 direct, 5 indirect)
Ecosystem-wide dependent count for version 2.0.0.
DescriptionCVE.org
Relative Path Traversal vulnerability in Apache Ignite REST API.
Authenticated REST API users can read any file on the server with "cmd=log" command and a log path crafted in a certain way. This issue affects Apache Ignite: from 2.0.0 through 2.17.0.
Users are recommended to upgrade to version 2.18.0, which fixes the issue.
AnalysisAI
Path traversal in Apache Ignite 2.0.0 through 2.17.0 lets authenticated REST API users read arbitrary files on the server by abusing the 'cmd=log' command with a crafted log path parameter. The flaw allows any low-privileged API user to escape the intended log directory and access sensitive files such as configuration, credentials, or keystores, with no public exploit identified at time of analysis.
Technical ContextAI
Apache Ignite is a distributed in-memory computing and caching platform whose embedded REST API exposes administrative commands including 'cmd=log' for retrieving log file contents. The root cause maps to CWE-23 (Relative Path Traversal), meaning the handler that resolves the log path parameter fails to canonicalize or constrain the value to the log directory, so sequences such as '../' allow the resolved path to traverse outside the intended root. Because the REST endpoint runs with the privileges of the Ignite node process - typically a service account with broad read access to its working tree, configuration directory, and JVM environment - the traversal exposes any file readable by that process.
RemediationAI
Vendor-released patch: Apache Ignite 2.18.0 - upgrade all cluster nodes to 2.18.0 or later as the primary remediation, following the advisory at https://lists.apache.org/thread/hgct6918sowd8l58yjohryhpxx81t4n1. Where immediate upgrade is not possible, restrict network access to the Ignite REST API (default TCP/8080 for the HTTP connector) to trusted management hosts only via firewall or service mesh policy, rotate and tighten REST API credentials so PR:L access is not widely granted, and consider disabling the HTTP REST connector entirely in ignite-config if applications do not depend on it - note that disabling REST will break any tooling or monitoring that uses the 'cmd=' interface. Running the Ignite process as an unprivileged user with a minimal readable filesystem footprint reduces the value of any file read but does not close the underlying flaw.
Same weakness CWE-23 – Relative Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209980
GHSA-v45h-mqf4-6939