Apache InLong: JDBC Vulnerability during verification processing
Description
Deserialization of Untrusted Data vulnerability in Apache InLong.
This issue affects Apache InLong: from 1.13.0 through 2.1.0. This vulnerability is a secondary mining bypass for CVE-2024-26579. Users are advised to upgrade to Apache InLong's 2.2.0 or cherry-pick [1] to solve it.
[1]
https://github.com/apache/inlong/pull/11732
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache InLong versions 1.13.0 through 2.1.0 are vulnerable to untrusted data deserialization, bypassing the previous fix for CVE-2024-26579.
The vulnerability is a deserialization of untrusted data issue in Apache InLong, affecting versions from 1.13.0 through 2.1.0. This flaw is a secondary mining bypass for CVE-2024-26579, meaning earlier patches were incomplete [1][3]. Root cause involves improper filtering of sensitive JDBC parameters, such as autoDeserialize, allowLoadLocalInfile, and allowUrlInLocalInfile, which can be exploited during connection URL parsing [4].
Exploitation
An attacker with access to InLong's management interface can craft a malicious JDBC URL containing dangerous parameters (e.g., autoDeserialize=true) to trigger deserialization of untrusted data. No prior authentication is strictly required if the interface is exposed, as the parameter sanitization occurs during JDBC verification processing [1][4].
Impact
Successful exploitation allows remote code execution via deserialization attacks, potentially leading to full system compromise. The vulnerability can be leveraged to exfiltrate data, deploy backdoors, or disrupt service integrity [3].
Mitigation
The issue is fixed in Apache InLong 2.2.0; users can also cherry-pick commit 86c893c from pull request #11732 to patch affected versions [1][4]. No workarounds are documented, and users are strongly advised to upgrade immediately.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.inlong:manager-pojoMaven | >= 1.13.0, < 2.2.0 | 2.2.0 |
Affected products
3- Apache Software Foundation/Apache InLongv5Range: 1.13.0
Patches
186c893cfd8f7[INLONG-11731][Manager]Fix the problem of Sensitive parameters are bypassed during JDBC verification processing (#11732)
2 files changed · +8 −2
inlong-manager/manager-pojo/src/main/java/org/apache/inlong/manager/pojo/util/MySQLSensitiveUrlUtils.java+2 −2 modified@@ -119,8 +119,8 @@ public static String filterSensitive(String url) { public static String containSensitiveKey(String url) { for (String key : SENSITIVE_REPLACE_PARAM_MAP.keySet()) { - if (url.contains(key + InlongConstants.EQUAL + "true") - || url.contains(key + InlongConstants.EQUAL + "yes")) { + if (StringUtils.containsIgnoreCase(url, key + InlongConstants.EQUAL + "true") + || StringUtils.containsIgnoreCase(url, key + InlongConstants.EQUAL + "yes")) { return key; } }
inlong-manager/manager-pojo/src/test/java/org/apache/inlong/manager/pojo/sink/mysql/MySQLSinkDTOTest.java+6 −0 modified@@ -31,6 +31,12 @@ public class MySQLSinkDTOTest { public void testFilterSensitive() throws Exception { // the sensitive params no use url code String originUrl = MySQLSinkDTO.filterSensitive( + "jdbc:mysql://127.0.0.1,(allowLoadLocalInfile=yeſ,allowUrlInLocalInfile=yeſ,allowLoadLocalInfileInPath=.,maxAllowedPacket=655360),:3307/test"); + Assertions.assertEquals( + "jdbc:mysql://127.0.0.1,(,,allowLoadLocalInfileInPath=.,maxAllowedPacket=655360),:3307/test", + originUrl); + + originUrl = MySQLSinkDTO.filterSensitive( "jdbc:mysql://127.0.0.1:3306?autoDeserialize=TRue&allowLoadLocalInfile = TRue&allowUrlInLocalInfile=TRue&allowLoadLocalInfileInPath=/&autoReconnect=true"); Assertions.assertEquals( "jdbc:mysql://127.0.0.1:3306?autoReconnect=true&autoDeserialize=false&allowUrlInLocalInfile=false&allowLoadLocalInfile=false",
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/apache/inlong/pull/11732ghsapatchWEB
- github.com/advisories/GHSA-r324-vgr5-73c9ghsaADVISORY
- lists.apache.org/thread/s4dnmq3gwcjocxf85qk190knlzd26jbyghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2025-27522ghsaADVISORY
- github.com/apache/inlong/commit/86c893cfd8f7ba9ffce5d20abef6cd360f502fdfghsaWEB
News mentions
0No linked articles in our index yet.