Platform
java
Component
org.apache.kylin:kylin
Fixed in
5.0.3
5.0.3
A Server-Side Request Forgery (SSRF) vulnerability has been identified in Apache Kylin, potentially allowing attackers to make unauthorized requests on behalf of the server. This issue impacts versions 4.0.0 through 5.0.2 of Apache Kylin. The vulnerability can be mitigated by upgrading to version 5.0.3, which includes a fix.
The SSRF vulnerability in Apache Kylin allows an attacker to craft malicious requests that the Kylin server will execute. This could lead to the exposure of sensitive internal resources, such as metadata databases or internal APIs. An attacker could potentially scan internal networks, access cloud credentials stored within the Kylin environment, or even trigger actions on other internal systems if they are accessible via HTTP/HTTPS. The blast radius is limited by the network segmentation and access controls in place within the affected environment; however, a successful exploitation could lead to significant data breaches and system compromise.
This vulnerability was publicly disclosed on 2025-10-02. No public proof-of-concept (PoC) code has been released at the time of writing. The vulnerability is not currently listed on the CISA KEV catalog. The likelihood of exploitation is considered medium, given the SSRF nature and the potential for internal reconnaissance.
Exploit Status
EPSS
0.09% (26% percentile)
CVSS Vector
The primary mitigation for CVE-2025-61735 is to upgrade Apache Kylin to version 5.0.3 or later. If an immediate upgrade is not feasible, restrict access to the Kylin system and project admin interfaces to trusted users only. Implement strict network segmentation to limit the potential impact of a successful SSRF attack. Consider deploying a Web Application Firewall (WAF) with SSRF protection rules to filter out malicious requests. Regularly review and update Kylin's configuration to ensure it adheres to security best practices. After upgrade, confirm the fix by attempting a crafted SSRF request and verifying it is blocked.
Upgrade Apache Kylin to version 5.0.3 or later. If immediate upgrade is not possible, ensure that Kylin's system and project admin access is well protected to mitigate the SSRF risk.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-61735 is a Server-Side Request Forgery vulnerability in Apache Kylin versions 4.0.0 through 5.0.2, allowing attackers to make unauthorized requests.
You are affected if you are running Apache Kylin versions 4.0.0 through 5.0.2 and have not yet upgraded.
Upgrade Apache Kylin to version 5.0.3 or later. Restrict access to admin interfaces and implement network segmentation as interim measures.
There is currently no confirmed active exploitation, but the SSRF nature makes it a potential target.
Refer to the Apache Kylin security advisories on the Apache project website for the latest information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.