CVE-2025-66524

CWE-502 — Deserialization of Untrusted Data6 documents6 sources

Severity

7.5HIGH

EPSS

0.2%

top 63.76%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Nifi Apache Software Foundation Apache Nifi

Timeline

PublishedDec 19

Description

Apache NiFi 1.20.0 through 2.6.0 include the GetAsanaObject Processor, which requires integration with a configurable Distribute Map Cache Client Service for storing and retrieving state information. The GetAsanaObject Processor used generic Java Object serialization and deserialization without filtering. Unfiltered Java object deserialization does not provide protection against crafted state information stored in the cache server configured for GetAsanaObject. Exploitation requires an Apache Ni…

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Packages3 packages

▶Mavenorg.apache.nifi:nifi-asana-processors1.20.0 — 2.7.0

▶NVDapache/nifi1.20.0 — 2.7.0+1

▶CVEListV5apache_software_foundation/apache_nifi1.20.0 — 2.6.0

🔴Vulnerability Details

GHSA

Apache NiFi GetAsanaObject Processor has Remote Code Execution via Unsafe Deserialization↗2025-12-19

▶

OSV

Apache NiFi GetAsanaObject Processor has Remote Code Execution via Unsafe Deserialization↗2025-12-19

▶

CVEList

Apache NiFi: Deserialization of Untrusted Data in GetAsanaObject Processor↗2025-12-19

▶

📋Vendor Advisories

Apache

Apache nifi: CVE-2025-66524↗

▶

🕵️Threat Intelligence

Wiz

CVE-2025-66524 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶