CVE-2025-1385Improper Input Validation in OSS

CWE-20Improper Input ValidationCWE-1385Missing Origin Validation in WebSocketsCWE-285Improper AuthorizationCWE-346Origin Validation ErrorCWE-350Reliance on Reverse DNS Resolution for a Security-Critical Action10 documents5 sources
Severity
7.5HIGHNVD
EPSS
0.2%
top 56.03%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
8
Clickhouse OSSGithub.com Canonical LXDAnthropic-ai Claude-code+5 more
Timeline
PublishedMar 20
Latest updateFeb 12

Description

When the library bridge feature is enabled, the clickhouse-library-bridge exposes an HTTP API on localhost. This allows clickhouse-server to dynamically load a library from a specified path and execute it in an isolated process. Combined with the ClickHouse table engine functionality that permits file uploads to specific directories, a misconfigured server can be exploited by an attacker with privilege to access to both table engines to execute arbitrary code on the ClickHouse server. You can c

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Packages8 packages

CVEListV5clickhouse/clickhouse_oss24.324.3.18.6+4
npmanthropic-ai/claude-code0.2.1161.0.24
npmnext/next15.0.015.2.2+1
npmfarmfe/core< 1.7.6

🔴Vulnerability Details

7
GHSA
@farmfe/core is Missing Origin Validation in WebSocket2026-02-12
GHSA
Canonical LXD Vulnerable to Privilege Escalation via WebSocket Connection Hijacking in Operations API2025-10-02
GHSA
Claude Code Improper Authorization via websocket connections from arbitrary origins2025-06-23
GHSA
Information exposure in Next.js dev server due to lack of origin verification2025-05-28
OSV
CVE-2025-1385: When the library bridge feature is enabled, the clickhouse-library-bridge exposes an HTTP API on localhost2025-03-20

📋Vendor Advisories

2
Red Hat
next.js: Information exposure in Next.js dev server due to lack of origin verification2025-05-30
Debian
CVE-2025-1385: clickhouse - When the library bridge feature is enabled, the clickhouse-library-bridge expose...2025