Apache Pulsar: Improper Input Validation in Pulsar Function Worker allows Remote Code Execution
Description
Improper input validation in the Pulsar Function Worker allows a malicious authenticated user to execute arbitrary Java code on the Pulsar Function worker, outside of the sandboxes designated for running user-provided functions. This vulnerability also applies to the Pulsar Broker when it is configured with "functionsWorkerEnabled=true".
This issue affects Apache Pulsar versions from 2.4.0 to 2.10.5, from 2.11.0 to 2.11.3, from 3.0.0 to 3.0.2, from 3.1.0 to 3.1.2, and 3.2.0.
2.10 Pulsar Function Worker users should upgrade to at least 2.10.6. 2.11 Pulsar Function Worker users should upgrade to at least 2.11.4. 3.0 Pulsar Function Worker users should upgrade to at least 3.0.3. 3.1 Pulsar Function Worker users should upgrade to at least 3.1.3. 3.2 Pulsar Function Worker users should upgrade to at least 3.2.1.
Users operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Improper input validation in Apache Pulsar Function Worker allows authenticated remote code execution outside sandboxes.
Vulnerability
Details
Improper input validation in the Pulsar Function Worker allows a malicious authenticated user to execute arbitrary Java code on the function worker, bypassing sandbox restrictions [1][4]. This issue also affects the Pulsar Broker when functionsWorkerEnabled=true [1].
Exploitation
An attacker must have authenticated access to the Pulsar cluster and be able to submit functions. By crafting malicious input, they can execute arbitrary Java code on the worker node outside the intended sandbox [3].
Impact
Successful exploitation grants the attacker the ability to run arbitrary Java code with the privileges of the Function Worker process, potentially leading to full compromise of the worker node and access to sensitive data [1].
Mitigation
Patches are available in Pulsar versions 2.10.6, 2.11.4, 3.0.3, 3.1.3, and 3.2.1. Users should upgrade immediately [3][4].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.pulsar:pulsar-functions-workerMaven | >= 2.4.0, < 2.10.6 | 2.10.6 |
org.apache.pulsar:pulsar-functions-workerMaven | >= 2.11.0, < 2.11.4 | 2.11.4 |
org.apache.pulsar:pulsar-functions-workerMaven | >= 3.0.0, < 3.0.3 | 3.0.3 |
org.apache.pulsar:pulsar-functions-workerMaven | >= 3.1.0, < 3.1.3 | 3.1.3 |
org.apache.pulsar:pulsar-functions-workerMaven | >= 3.2.0, < 3.2.1 | 3.2.1 |
Affected products
3- Range: 2.4.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-xp2r-g8qq-44hhghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-27135ghsaADVISORY
- pulsar.apache.org/security/CVE-2024-27135/mitrevendor-advisory
- www.openwall.com/lists/oss-security/2024/03/12/9ghsaWEB
- lists.apache.org/thread/dh8nj2vmb2br6thjltq74lk9jxkz62wnghsamailing-listWEB
- pulsar.apache.org/security/CVE-2024-27135ghsaWEB
News mentions
0No linked articles in our index yet.