CVE-2017-12632
Description
A malicious host header in an incoming HTTP request could cause NiFi to load resources from an external server. The fix to sanitize host headers and compare to a controlled whitelist was applied on the Apache NiFi 1.5.0 release. Users running a prior 1.x release should upgrade to the appropriate release.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A malicious HTTP Host header in Apache NiFi could allow loading resources from an external server, fixed in version 1.5.0.
Vulnerability
Apache NiFi versions 1.x prior to 1.5.0 are vulnerable to an HTTP Host header injection attack. A malicious Host header in an incoming HTTP request can cause NiFi to load resources from an external server, bypassing intended controls. The fix involves sanitizing the Host header and comparing it against a controlled whitelist [1][2].
Exploitation
An attacker with network access to an affected NiFi instance can craft an HTTP request with a malicious Host header. No authentication or user interaction is required beyond the ability to send an HTTP request to the NiFi server. The malicious header causes NiFi to retrieve resources from an attacker-controlled external server [1][2].
Impact
Successful exploitation allows an attacker to cause NiFi to load resources from an external server, potentially leading to the execution of untrusted code or data exfiltration. The impact is limited to the server-side processing of the malicious Host header, and the attacker does not gain direct access to internal resources beyond what is achievable through the loaded external content [1][2].
Mitigation
The vulnerability is fixed in Apache NiFi version 1.5.0, released on an unspecified date. Users running any prior 1.x release should upgrade to version 1.5.0 or later. No workarounds are documented, and there is no indication that this CVE is listed in the CISA Known Exploited Vulnerabilities (KEV) catalog [1][2].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.nifi:nifiMaven | >= 1.0.0, < 1.5.0 | 1.5.0 |
Affected products
2- Apache Software Foundation/Apache NiFiv5Range: 1.0.0 - 1.4.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-w4x6-j349-9r57ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-12632ghsaADVISORY
- nifi.apache.org/security.htmlghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.