Platform
java
Component
org.apache.kylin:kylin
Fixed in
5.0.2
5.0.2
CVE-2025-30067 describes a code injection vulnerability within Apache Kylin, specifically related to the improper control of code generation. This vulnerability allows an attacker with system or project admin privileges to potentially execute arbitrary code via manipulation of JDBC connection configurations. The vulnerability impacts versions of Apache Kylin from 4.0.0 through 5.0.1, and a fix is available in version 5.0.2.
Successful exploitation of CVE-2025-30067 hinges on an attacker gaining administrative access to the Apache Kylin system or project. Once this access is achieved, they can modify the JDBC connection configuration, injecting malicious code that will be executed remotely. The potential impact is significant, ranging from data exfiltration and system compromise to complete control of the Kylin instance. This could lead to the compromise of sensitive data processed by Kylin, disruption of business intelligence operations, and potentially, lateral movement within the network if Kylin is integrated with other systems. While the CVSS score is LOW, the requirement for admin privileges and the potential for severe consequences necessitate prompt remediation.
CVE-2025-30067 was publicly disclosed on March 27, 2025. As of this date, there are no publicly known proof-of-concept exploits. The vulnerability is not currently listed on the CISA KEV catalog. The EPSS score is likely low due to the requirement for administrative privileges and the lack of public exploits, but diligent monitoring is still recommended.
Exploit Status
EPSS
0.34% (57% percentile)
The primary mitigation for CVE-2025-30067 is to upgrade Apache Kylin to version 5.0.2 or later, which includes the necessary fix. If an immediate upgrade is not feasible, restrict access to Kylin's system and project admin roles to only trusted personnel. Implement robust authentication and authorization controls to prevent unauthorized access. Consider implementing a Web Application Firewall (WAF) with rules to detect and block suspicious JDBC connection attempts. Regularly review and audit JDBC connection configurations for any signs of tampering. After upgrading, verify the fix by attempting to establish a JDBC connection with a test user account and confirming that no arbitrary code execution is possible.
Update Apache Kylin to version 5.0.2 or above. This update corrects the code injection vulnerability. Ensure that Kylin's system and project administrator access is adequately protected.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-30067 is a code injection vulnerability in Apache Kylin affecting versions up to 5.0.0-beta. An attacker with admin access can inject code through JDBC connection configuration.
You are affected if you are using Apache Kylin versions 4.0.0 through 5.0.1. Upgrade to 5.0.2 or later to mitigate the risk.
Upgrade Apache Kylin to version 5.0.2 or later. Restrict admin access and review JDBC connection configurations as an interim measure.
As of March 27, 2025, there are no publicly known active exploits for CVE-2025-30067.
Refer to the Apache Kylin security advisories on the Apache project website for the latest information and updates regarding CVE-2025-30067.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.