Plateforme
java
Composant
org.apache.kylin:kylin
Corrigé dans
5.0.3
5.0.3
A Server-Side Request Forgery (SSRF) vulnerability has been identified in Apache Kylin, potentially allowing attackers to make unauthorized requests on behalf of the server. This issue impacts versions 4.0.0 through 5.0.2 of Apache Kylin. The vulnerability can be mitigated by upgrading to version 5.0.3, which includes a fix.
The SSRF vulnerability in Apache Kylin allows an attacker to craft malicious requests that the Kylin server will execute. This could lead to the exposure of sensitive internal resources, such as metadata databases or internal APIs. An attacker could potentially scan internal networks, access cloud credentials stored within the Kylin environment, or even trigger actions on other internal systems if they are accessible via HTTP/HTTPS. The blast radius is limited by the network segmentation and access controls in place within the affected environment; however, a successful exploitation could lead to significant data breaches and system compromise.
This vulnerability was publicly disclosed on 2025-10-02. No public proof-of-concept (PoC) code has been released at the time of writing. The vulnerability is not currently listed on the CISA KEV catalog. The likelihood of exploitation is considered medium, given the SSRF nature and the potential for internal reconnaissance.
Organizations deploying Apache Kylin for big data analytics, particularly those with internal network access from the Kylin server, are at risk. Environments with weak access controls to the Kylin system and project admin interfaces are especially vulnerable. Shared hosting environments running Kylin should be considered high-risk.
• java / server:
ps aux | grep kylin• java / server:
journalctl -u kylin | grep -i "server-side request forgery"• generic web:
curl -I http://<kylin_server>/internal_resource• generic web:
grep -r "http://internal.host" /opt/kylin/conf/*disclosure
Statut de l'Exploit
EPSS
0.09% (percentile 26%)
Vecteur CVSS
The primary mitigation for CVE-2025-61735 is to upgrade Apache Kylin to version 5.0.3 or later. If an immediate upgrade is not feasible, restrict access to the Kylin system and project admin interfaces to trusted users only. Implement strict network segmentation to limit the potential impact of a successful SSRF attack. Consider deploying a Web Application Firewall (WAF) with SSRF protection rules to filter out malicious requests. Regularly review and update Kylin's configuration to ensure it adheres to security best practices. After upgrade, confirm the fix by attempting a crafted SSRF request and verifying it is blocked.
Mettez à jour Apache Kylin vers la version 5.0.3 ou supérieure. Si la mise à niveau n'est pas possible immédiatement, assurez-vous que l'accès administrateur du système et du projet Kylin est bien protégé afin d'atténuer le risque de SSRF.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-61735 is a Server-Side Request Forgery vulnerability in Apache Kylin versions 4.0.0 through 5.0.2, allowing attackers to make unauthorized requests.
You are affected if you are running Apache Kylin versions 4.0.0 through 5.0.2 and have not yet upgraded.
Upgrade Apache Kylin to version 5.0.3 or later. Restrict access to admin interfaces and implement network segmentation as interim measures.
There is currently no confirmed active exploitation, but the SSRF nature makes it a potential target.
Refer to the Apache Kylin security advisories on the Apache project website for the latest information.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier pom.xml et nous te dirons instantanément si tu es affecté.