Apache NiFi: Improper Neutralization of Input in Parameter Description
Description
Apache NiFi 1.10.0 through 1.27.0 and 2.0.0-M1 through 2.0.0-M3 support a description field for Parameters in a Parameter Context configuration that is vulnerable to cross-site scripting. An authenticated user, authorized to configure a Parameter Context, can enter arbitrary JavaScript code, which the client browser will execute within the session context of the authenticated user. Upgrading to Apache NiFi 1.28.0 or 2.0.0-M4 is the recommended mitigation.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2024-45477 is a stored cross-site scripting vulnerability in Apache NiFi's Parameter Context description field, affecting versions 1.10.0 through 1.27.0 and 2.0.0-M1 through M3.
Apache NiFi versions 1.10.0 through 1.27.0 and 2.0.0-M1 through 2.0.0-M3 contain a stored cross-site scripting (XSS) vulnerability in the Parameter Context configuration. The description field for parameters does not properly sanitize user input, allowing an authenticated user with authorization to configure a Parameter Context to inject arbitrary JavaScript code [1][3].
Exploitation requires an authenticated user who has been granted permission to modify a Parameter Context. No additional privileges are needed. The injected script is stored and later executed in the browser of any authenticated user who views the affected Parameter Context description, within the security context of that user's session [1].
An attacker can execute arbitrary JavaScript in the victim's browser session, potentially stealing session cookies, exfiltrating sensitive data, or performing actions on behalf of the victim. This compromises the confidentiality and integrity of the application within the affected user's permissions [1].
Mitigation involves upgrading to Apache NiFi 1.28.0 or 2.0.0-M4, which include the fix implemented in pull request #9195 [1][2]. The NVD has not yet assigned a CVSS score, but the vulnerability is rated as moderate to high depending on the environment [3].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.nifi:nifi-web-uiMaven | >= 1.10.0, < 1.28.0 | 1.28.0 |
org.apache.nifi:nifi-web-uiMaven | >= 2.0.0-M1, < 2.0.0-M4 | 2.0.0-M4 |
Affected products
3- osv-coords2 versions
>= 1.10.0, < 1.28.0+ 1 more
- (no CPE)range: >= 1.10.0, < 1.28.0
- (no CPE)range: >= 1.10.0, < 1.28.0
- Apache Software Foundation/Apache NiFiv5Range: 1.10.0
Patches
1153c87a7daaeNIFI-13675 Fixed Tooltip for Parameter Description (#9195)
1 file changed · +1 −1
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-ui/src/main/webapp/js/nf/canvas/nf-parameter-contexts.js+1 −1 modified@@ -2194,7 +2194,7 @@ infoIcon.qtip($.extend({}, nfCommon.config.tooltipConfig, { - content: parameter.description + content: nfCommon.escapeHtml(parameter.description) })); } }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/advisories/GHSA-7mqj-xgf8-p59vghsaADVISORY
- lists.apache.org/thread/shdv0tw9hggj7tx9pl7g93mgok2lwbj9ghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2024-45477ghsaADVISORY
- github.com/apache/nifi/blob/rel/nifi-1.27.0/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-ui/src/main/webapp/js/nf/canvas/nf-parameter-contexts.jsghsaWEB
- github.com/apache/nifi/commit/153c87a7daaeebea9b119066285b840ea4056e09ghsaWEB
- github.com/apache/nifi/pull/9195ghsaWEB
- issues.apache.org/jira/browse/NIFI-13675ghsaWEB
- nifi.apache.org/documentation/security/ghsaWEB
News mentions
0No linked articles in our index yet.