CVE-2025-27528

CWE-502Deserialization of Untrusted Data4 documents4 sources
Severity
9.1CRITICAL
EPSS
0.4%
top 41.96%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache InlongApache Software Foundation Apache Inlong
Timeline
PublishedMay 28

Description

Deserialization of Untrusted Data vulnerability in Apache InLong. This issue affects Apache InLong: from 1.13.0 through 2.1.0. This vulnerability allows attackers to bypass the security mechanisms of InLong JDBC and leads to arbitrary file reading. Users are advised to upgrade to Apache InLong's 2.2.0 or cherry-pick [1] to solve it. [1] https://github.com/apache/inlong/pull/11747

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 3.9 | Impact: 5.2

Affected Packages3 packages

NVDapache/inlong1.13.02.2.0
Mavenorg.apache.inlong:manager-pojo1.13.02.2.0
CVEListV5apache_software_foundation/apache_inlong1.13.02.1.0

🔴Vulnerability Details

3
OSV
Apache InLong: JDBC Vulnerability for Invisible Character Bypass Leading to Arbitrary File Read2025-05-28
GHSA
Apache InLong: JDBC Vulnerability for Invisible Character Bypass Leading to Arbitrary File Read2025-05-28
CVEList
Apache InLong: JDBC Vulnerability for Invisible Character Bypass Leading to Arbitrary File Read2025-05-28
CVE-2025-27528 (CRITICAL CVSS 9.1) | Deserialization of Untrusted Data v | cvebase.io