Apache StreamPark: FreeMarker SSTI RCE Vulnerability
Description
On versions before 2.1.4, a user could log in and perform a template injection attack resulting in Remote Code Execution on the server, The attacker must successfully log into the system to launch an attack, so this is a moderate-impact vulnerability.
Mitigation:
all users should upgrade to 2.1.4
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache StreamPark before 2.1.4 contains a server-side template injection (SSTI) vulnerability via FreeMarker, allowing authenticated remote code execution.
Vulnerability
Description
CVE-2024-29178 is a server-side template injection (SSTI) vulnerability in Apache StreamPark, an open-source streaming application development framework. In versions prior to 2.1.4, an authenticated user can inject malicious FreeMarker templates, leading to remote code execution (RCE) on the server. The flaw is rooted in insufficient sanitization of user-supplied input that is processed by the FreeMarker templating engine [1][3].
Attack
Vector
To exploit this vulnerability, an attacker must first have valid credentials and successfully log into the StreamPark web interface. Once authenticated, the attacker can craft a malicious template payload that is processed by the underlying FreeMarker engine. This prerequisite of authentication reduces the attack surface but does not eliminate the risk, especially in environments with shared or low-privilege accounts [1][3].
Impact
Successful exploitation grants the attacker arbitrary remote code execution on the StreamPark server. This can lead to full compromise of the application, including data exfiltration, lateral movement within the infrastructure, and potential disruption of streaming data pipelines managed by the platform. The official severity rating is moderate due to the authentication requirement [1][3].
Mitigation
All users are advised to upgrade to Apache StreamPark version 2.1.4 or later, which contains the fix for this vulnerability. No workarounds have been published, and the vendor recommends immediate patching to prevent exploitation [1][2][3].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.streampark:streamparkMaven | < 2.1.4 | 2.1.4 |
Affected products
2- Apache Software Foundation/Apache StreamParkv5Range: 1.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-vv8h-m63v-53pqghsaADVISORY
- lists.apache.org/thread/n6dhnl68knpxy80t35qxkkw2691l8sfnghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2024-29178ghsaADVISORY
- www.openwall.com/lists/oss-security/2024/07/18/1ghsaWEB
News mentions
0No linked articles in our index yet.