Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Network-reachable path traversal with no auth or interaction (AV:N/AC:L/PR:N/UI:N); arbitrary file read and write give C:H/I:H, with no direct availability impact (A:N).
Primary rating from Vendor (apache).
CVSS VectorVendor: apache
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
6DescriptionCVE.org
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache IoTDB.
This issue affects Apache IoTDB: from 1.0.0 before 1.3.6, from 2.0.0 before 2.0.7.
Users are recommended to upgrade to version 1.3.6 and 2.0.7, which fixes the issue.
Articles & Coverage 2
AnalysisAI
Path traversal in Apache IoTDB (1.0.0 before 1.3.6 and 2.0.0 before 2.0.7) allows remote attackers to read and write files outside the intended restricted directory by supplying crafted pathnames, leading to high confidentiality and integrity impact. The CVSS 3.1 base score is 9.1 (AV:N/AC:L/PR:N/UI:N) indicating network-reachable, unauthenticated exploitation against affected versions. No public exploit identified at time of analysis and the issue is not listed in CISA KEV; fixed versions 1.3.6 and 2.0.7 are available from the Apache vendor.
More in Apache Iotdb
View allSame weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210350
GHSA-h548-jhj8-q85h