CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-27531: Apache InLong: An arbitrary file read vulnerability for JDBC

9.8 CVSS

Description

Deserialization of Untrusted Data vulnerability in Apache InLong. 

This issue affects Apache InLong: from 1.13.0 before 2.1.0,

this issue would allow an authenticated attacker to read arbitrary files by double writing the param.

Users are recommended to upgrade to version 2.1.0, which fixes the issue.

Classification

CVE ID: CVE-2025-27531

CVSS Base Severity: CRITICAL

CVSS Base Score: 9.8

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Problem Types

CWE-502 Deserialization of Untrusted Data

Affected Products

Vendor: Apache Software Foundation

Product: Apache InLong

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.05% (probability of being exploited)

EPSS Percentile: 14.13% (scored less or equal to compared to others)

EPSS Date: 2025-06-11 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-27531
https://lists.apache.org/thread/r62lkqrr739wvcb60j6ql6q63rh4bxx5

Timeline