CVE-2025-62728SQL Injection in Software Foundation Apache Hive

CWE-89SQL Injection4 documents4 sources
Severity
5.4MEDIUMNVD
EPSS
0.1%
top 70.47%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache Software Foundation Apache HiveApache Hive
Timeline
PublishedNov 26

Description

SQL injection vulnerability in Hive Metastore Server (HMS) when processing delete column statistics requests via the Thrift APIs. The vulnerability is only exploitable by trusted/authorized users/applications that are allowed to call directly the Thrift APIs. In most real-world deployments, HMS is accessible to only a handful of applications (e.g., Hiveserver2) thus the vulnerability is not exploitable. Moreover, the vulnerable code cannot be reached when metastore.try.direct.sql property is set

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.5

Affected Packages2 packages

CVEListV5apache_software_foundation/apache_hive4.1.04.2.0
NVDapache/hive4.1.0

🔴Vulnerability Details

3
GHSA
Hive Metastore Server is vulnerable to SQL Injection2025-11-26
CVEList
Apache Hive: SQL injection vulnerability when processing delete column statistics requests via the HMS Thrift APIs2025-11-26
OSV
Hive Metastore Server is vulnerable to SQL Injection2025-11-26
CVE-2025-62728 — SQL Injection | cvebase