Platform
java
Component
org.apache.seatunnel:seatunnel-engine-server
Fixed in
2.3.11
2.3.11
CVE-2025-32896 describes an Arbitrary File Read and Deserialization vulnerability discovered in Apache SeaTunnel. This vulnerability allows unauthorized users to perform malicious actions by exploiting the /hazelcast/rest/maps/submit-job endpoint. The vulnerability impacts versions of Apache SeaTunnel up to and including 2.3.9, and a fix is available in version 2.3.11.
An attacker can leverage this vulnerability to read arbitrary files from the SeaTunnel server's file system. By manipulating extra parameters within the MySQL URL during job submission, they can trigger deserialization of malicious objects, potentially leading to remote code execution. The blast radius extends to any data accessible by the SeaTunnel process, and successful exploitation could compromise the entire system. This vulnerability shares similarities with other deserialization vulnerabilities where attackers can inject malicious code through crafted input.
This CVE was published on 2025-06-19. No public proof-of-concept (PoC) code has been released at the time of writing. The vulnerability is not currently listed on the CISA KEV catalog. The CVSS score of 2.5 indicates a low probability of exploitation, but the potential impact warrants prompt remediation.
Exploit Status
EPSS
0.19% (41% percentile)
The primary mitigation is to upgrade Apache SeaTunnel to version 2.3.11 or later. This version includes a fix that addresses the vulnerability. As an interim measure, consider disabling the /hazelcast/rest/maps/submit-job endpoint if it's not essential. Enabling restful api-v2 and enforcing HTTPS two-way authentication will further restrict access and reduce the attack surface. Review and restrict access to the SeaTunnel environment, limiting user privileges to the minimum necessary.
Update Apache SeaTunnel to version 2.3.11 or higher. Additionally, enable the RESTful API v2 and configure HTTPS two-way authentication to mitigate the vulnerability.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-32896 is a LOW severity vulnerability affecting Apache SeaTunnel versions up to 2.3.9, allowing unauthorized users to read arbitrary files and potentially execute code through the submit-job API.
You are affected if you are using Apache SeaTunnel version 2.3.9 or earlier. Upgrade to version 2.3.11 to resolve the issue.
Upgrade to Apache SeaTunnel version 2.3.11. Additionally, enable restful api-v2 and HTTPS two-way authentication for enhanced security.
There is currently no confirmed evidence of active exploitation, but the potential impact warrants prompt remediation.
Refer to the Apache SeaTunnel project's security announcements for the official advisory: [https://seatunnel.apache.org/docs/security/](https://seatunnel.apache.org/docs/security/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.