Apache NiFi: Improper Neutralization of Input in Advanced User Interface for Jolt
Description
Apache NiFi 0.7.0 through 1.23.2 include the JoltTransformJSON Processor, which provides an advanced configuration user interface that is vulnerable to DOM-based cross-site scripting. If an authenticated user, who is authorized to configure a JoltTransformJSON Processor, visits a crafted URL, then arbitrary JavaScript code can be executed within the session context of the authenticated user. Upgrading to Apache NiFi 1.24.0 or 2.0.0-M1 is the recommended mitigation.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
DOM-based XSS in Apache NiFi's JoltTransformJSON Processor UI allows attacker to execute arbitrary JavaScript in context of authenticated user.
Vulnerability
Overview
Apache NiFi versions 0.7.0 through 1.23.2 include the JoltTransformJSON Processor, which provides an advanced configuration user interface that is vulnerable to DOM-based cross-site scripting (XSS). The issue arises from improper handling of user-supplied input within the JavaScript-based UI controller, specifically during parameter initialization for interactive Jolt specification testing [4]. An attacker can craft a malicious URL that, when visited by an authenticated user authorized to configure a JoltTransformJSON Processor, triggers execution of arbitrary JavaScript code within the session context of that user [1][2].
Attack
Vector and Prerequisites
The vulnerability is DOM-based, meaning the malicious script is injected and executed entirely on the client side after the page loads, without requiring server-side reflection of malicious input. The attacker must first craft a URL containing the payload and then convince an authenticated NiFi user who has privileges to configure the JoltTransformJSON Processor to visit that URL. No additional authentication or network position is required beyond the victim's existing session [2].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's authenticated session. This can lead to session hijacking, theft of sensitive data displayed in the UI, or performing unauthorized actions on behalf of the victim, such as modifying processor configurations or exfiltrating data flows. The impact is limited to actions the victim is authorized to perform, but given that the victim must be authorized to configure the processor, the attacker gains significant access within the NiFi instance [1].
Mitigation
Apache NiFi has released versions 1.24.0 and 2.0.0-M1 which fix the vulnerability by simplifying the initialization method in the JoltTransform UI controller to avoid unnecessary JavaScript parsing [4]. Users are strongly recommended to upgrade to one of these patched versions. There are no known workarounds for unpatched versions [2]. This issue is tracked as NIFI-12403 in the Apache NiFi issue tracker [4].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.nifi:nifi-jolt-transform-json-uiMaven | < 1.24.0 | 1.24.0 |
Affected products
3- osv-coords2 versions
>= 0.7.0, < 1.24.0+ 1 more
- (no CPE)range: >= 0.7.0, < 1.24.0
- (no CPE)range: < 1.24.0
- Apache Software Foundation/Apache NiFiv5Range: 0.7.0
Patches
150efc55df6bbNIFI-12403 Improve Jolt UI Parameter Processing (#8060)
1 file changed · +2 −2
nifi-nar-bundles/nifi-standard-bundle/nifi-jolt-transform-json-ui/src/main/webapp/app/transformjson/transformjson.controller.js+2 −2 modified@@ -408,8 +408,8 @@ var TransformJsonController = function ($scope, $state, $q, $mdDialog, $timeout, $scope.processorId = params.id; $scope.clientId = params.clientId; $scope.revisionId = params.revision; - $scope.disconnectedNodeAcknowledged = eval(params.disconnectedNodeAcknowledged); - $scope.editable = eval(params.editable); + $scope.disconnectedNodeAcknowledged = params.disconnectedNodeAcknowledged === 'true'; + $scope.editable = params.editable === 'true'; var jsonSpec = $scope.getSpec($scope.transform,$scope.jsonSpec); if(jsonSpec != null && jsonSpec != ""){
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/advisories/GHSA-68pr-6fjc-wmgmghsaADVISORY
- lists.apache.org/thread/j8rd0qsvgoj0khqck5f49jfbp0fm8r1oghsavendor-advisoryWEB
- nifi.apache.org/security.htmlghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2023-49145ghsaADVISORY
- www.openwall.com/lists/oss-security/2023/11/27/5ghsaWEB
- github.com/apache/nifi/commit/50efc55df6bb00ea15adcc2459d5cc82d128857fghsaWEB
- github.com/apache/nifi/pull/8060ghsaWEB
- issues.apache.org/jira/browse/NIFI-12403ghsaWEB
News mentions
0No linked articles in our index yet.