Apache SeaTunnel: Unauthenticated insecure access

An attacker can leverage this vulnerability to read arbitrary files from the SeaTunnel server's file system. By manipulating extra parameters within the MySQL URL during job submission, they can trigger deserialization of malicious objects, potentially leading to remote code execution. The blast radius extends to any data accessible by the SeaTunnel process, and successful exploitation could compromise the entire system. This vulnerability shares similarities with other deserialization vulnerabilities where attackers can inject malicious code through crafted input.

Organizations using Apache SeaTunnel for data integration and transformation pipelines, particularly those relying on the /hazelcast/rest/maps/submit-job endpoint for job submission, are at risk. Environments with weak access controls or legacy configurations are especially vulnerable.

• linux / server:

journalctl -u seatunnel -g "arbitrary file read"

• java / supply-chain: Inspect SeaTunnel job submissions for unusual MySQL URL parameters. Look for patterns indicative of file path manipulation. • generic web:

curl -I /hazelcast/rest/maps/submit-job | grep -i 'content-type: application/json'

Check for unexpected content types in the response, which might indicate a deserialization attempt.

1. 2025-06-19Disclosure

   disclosure

1. आरक्षित2025-04-12
2. प्रकाशित2025-06-19
3. EPSS अद्यतन2026-03-23

The primary mitigation is to upgrade Apache SeaTunnel to version 2.3.11 or later. This version includes a fix that addresses the vulnerability. As an interim measure, consider disabling the /hazelcast/rest/maps/submit-job endpoint if it's not essential. Enabling restful api-v2 and enforcing HTTPS two-way authentication will further restrict access and reduce the attack surface. Review and restrict access to the SeaTunnel environment, limiting user privileges to the minimum necessary.