Critical severityNVD Advisory· Published May 14, 2025· Updated Feb 26, 2026
Apache IoTDB: Remote Code Execution with untrusted URI of User-defined function
CVE-2024-24780
Description
Remote Code Execution with untrusted URI of UDF vulnerability in Apache IoTDB. The attacker who has privilege to create UDF can register malicious function from untrusted URI.
This issue affects Apache IoTDB: from 1.0.0 before 1.3.4.
Users are recommended to upgrade to version 1.3.4, which fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.iotdb:iotdb-coreMaven | >= 1.0.0, < 1.3.4 | 1.3.4 |
apache-iotdbPyPI | >= 1.0.0, < 1.3.4 | 1.3.4 |
Affected products
3- ghsa-coords2 versions
>= 1.0.0, < 1.3.4+ 1 more
- (no CPE)range: >= 1.0.0, < 1.3.4
- (no CPE)range: >= 1.0.0, < 1.3.4
- Apache Software Foundation/Apache IoTDBv5Range: 1.0.0
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-f4rq-f4j9-f6rmghsaADVISORY
- lists.apache.org/thread/xphtm98v3zsk9vlpfh481m1ry2ctxvmjghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2024-24780ghsaADVISORY
- www.openwall.com/lists/oss-security/2025/05/14/2ghsaWEB
- github.com/apache/iotdb/pull/14365ghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/apache-iotdb/PYSEC-2025-59.yamlghsaWEB
News mentions
0No linked articles in our index yet.