Unsafe Pre-Authentication Deserialization In Workers
Description
Apache Storm supervisor server contains an unsafe deserialization vulnerability in worker services that allows pre-auth RCE.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Storm supervisor server contains an unsafe deserialization vulnerability in worker services that allows pre-auth RCE.
Vulnerability
The Apache Storm supervisor server contains an unsafe deserialization vulnerability in its worker services [1]. This flaw exists across multiple version lines: Storm 2.2.x (before 2.2.1 or 2.3.0), Storm 2.1.x (before 2.1.1), and Storm 1.x (before 1.2.4) [1]. The vulnerable code path is reachable without any prior authentication.
Exploitation
An attacker can exploit this vulnerability by sending a crafted serialized object to the supervisor server worker services [1]. No authentication is required to reach the vulnerable endpoint, meaning the attack can be performed from any network position that can communicate with the Storm supervisor server.
Impact
Successful exploitation leads to pre-authentication remote code execution (RCE) on the Apache Storm supervisor server [1]. The attacker gains the ability to execute arbitrary code with the privileges of the Storm process, potentially compromising the entire Storm cluster.
Mitigation
Users should upgrade to the fixed versions: Apache Storm 2.2.x users should upgrade to version 2.2.1 or 2.3.0; Apache Storm 2.1.x users should upgrade to version 2.1.1; Apache Storm 1.x users should upgrade to version 1.2.4 [1]. No workarounds are mentioned in the available reference.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.storm:stormMaven | >= 2.2.0, < 2.2.1 | 2.2.1 |
org.apache.storm:stormMaven | >= 1.0.0, < 1.2.4 | 1.2.4 |
org.apache.storm:stormMaven | >= 2.1.0, < 2.1.1 | 2.1.1 |
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-w729-7633-2fw5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-40865ghsaADVISORY
- lists.apache.org/thread.html/r8d45e74299897b6734dd0f788c46a631009ce2eeb731523386f7a253%40%3Cuser.storm.apache.org%3Eghsax_refsource_MISCWEB
- seclists.org/oss-sec/2021/q4/45ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.