Apache StreamPark (incubating): maven build params could trigger remote command execution
Description
In streampark, the project module integrates Maven's compilation capabilities. The input parameter validation is not strict, allowing attackers to insert commands for remote command execution, The prerequisite for a successful attack is that the user needs to log in to the streampark system and have system-level permissions. Generally, only users of that system have the authorization to log in, and users would not manually input a dangerous operation command. Therefore, the risk level of this vulnerability is very low.
Mitigation:
all users should upgrade to 2.1.4
Background info:
Log in to Streampark using the default username (e.g. test1, test2, test3) and the default password (streampark). Navigate to the Project module, then add a new project. Enter the git repository address of the project and input touch /tmp/success_2.1.2 as the "Build Argument". Note that there is no verification and interception of the special character "`". As a result, you will find that this injection command will be successfully executed after executing the build.
In the latest version, the special symbol ` is intercepted.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache StreamPark's project module lacks input validation in Maven build arguments, allowing authenticated users with system-level permissions to execute arbitrary commands via backticks.
In Apache StreamPark (incubating), the project module integrates Maven's compilation capabilities. The input parameter validation for build arguments is insufficient, allowing attackers to inject arbitrary commands. Specifically, the backtick character (`) is not filtered or escaped, enabling command injection during the Maven build process [1]. This vulnerability affects StreamPark versions 2.0.0 through 2.1.3 [3].
Exploitation requires the attacker to be logged into the StreamPark system with system-level permissions, typically meaning they are an authorized user of the platform. The attack is carried out by navigating to the Project module, adding a new project, and entering a malicious payload—such as touch /tmp/success_2.1.2—in the Build Argument field. The malicious command is then executed when the build runs [1]. The official description notes that users would not normally manually input dangerous commands, which lowers the exploitation risk [3].
Successful command injection allows the attacker to execute arbitrary operating system commands on the StreamPark server with the privileges of the StreamPark process. This could lead to data compromise, service disruption, or further lateral movement within the environment [1].
Mitigation: All users should upgrade to Apache StreamPark 2.1.4, which intercepts the special backtick symbol and prevents the injection [1][3]. No workarounds have been published for versions prior to this fix.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.streampark:streamparkMaven | < 2.1.4 | 2.1.4 |
Affected products
2- Apache Software Foundation/Apache StreamPark (incubating)v5Range: 2.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-5v69-92vw-fmjhghsaADVISORY
- lists.apache.org/thread/xhx7jt1t24s6d7o435wxng8t0ojfbfh5ghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2024-29737ghsaADVISORY
- www.openwall.com/lists/oss-security/2024/07/17/2ghsaWEB
News mentions
0No linked articles in our index yet.