VYPR
← All advisories
Moderate severityNVD Advisory· Published May 28, 2025· Updated May 28, 2025

Apache InLong: JDBC Vulnerability For URLEncode and backspace bypass

CVE-2025-27526

Description

Deserialization of Untrusted Data vulnerability in Apache InLong.

This issue affects Apache InLong: from 1.13.0 through 2.1.0. This vulnerability which can lead to JDBC Vulnerability URLEncdoe and backspace bypass. Users are advised to upgrade to Apache InLong's 2.2.0 or cherry-pick [1] to solve it.

[1]  https://github.com/apache/inlong/pull/11747

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Deserialization vulnerability in Apache InLong 1.13.0-2.1.0 allows JDBC URL manipulation via encoded/backspace bypass, risking data exposure.

Description

CVE-2025-27526 is a deserialization of untrusted data vulnerability in Apache InLong versions 1.13.0 through 2.1.0. The root cause lies in the filterSensitive function, which fails to properly sanitize JDBC URL parameters when encoded or backspace characters are used. This allows an attacker to bypass the intended filtering and inject malicious parameters into the JDBC connection string [1][2].

Exploitation

An attacker can craft a JDBC URL with URL-encoded characters or backspace sequences to evade the sensitive key detection logic. The original code removed parameters matching specific keys with values 'true' or 'yes', but it did not handle cases where the parameter name or value was encoded or contained backspace characters. The pull request #11747 fixes this by introducing a bracket-based filtering approach that properly strips sensitive parameters regardless of encoding [2][4].

Impact

Successful exploitation of this vulnerability could allow an attacker to manipulate the JDBC URL, potentially leading to unauthorized data access, data exfiltration, or corruption. Given the role of InLong in data integration, this could compromise sensitive data streams [1].

Mitigation

Users are advised to upgrade to Apache InLong version 2.2.0 or apply the fix from commit 48c2f5c [4]. No workarounds are documented, so immediate patching is recommended [1].

References
  1. NVD - CVE-2025-27526
  2. [INLONG-11746][Manager] Fix the problem of JDBC URL cannot handle special characters by fuweng11 · Pull Request #11747 · apache/inlong
  3. [INLONG-11746][Manager] Fix the problem of JDBC URL cannot handle spe… · apache/inlong@48c2f5c

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.apache.inlong:manager-pojoMaven
>= 1.13.0, < 2.2.02.2.0

Affected products

3

Patches

1
48c2f5cad4a9

[INLONG-11746][Manager] Fix the problem of JDBC URL cannot handle special characters (#11747)

https://github.com/apache/inlongfuweng11Feb 11, 2025via ghsa
commit
3 files changed · +52 17
  • inlong-manager/manager-common/src/main/java/org/apache/inlong/manager/common/consts/InlongConstants.java+2 0 modified
    @@ -66,6 +66,8 @@ public class InlongConstants {
 
     public static final String LEFT_BRACKET = "(";
 
+    public static final String RIGHT_BRACKET = ")";
+
     public static final String PERCENT = "%";
 
     public static final String QUESTION_MARK = "?";
  • inlong-manager/manager-pojo/src/main/java/org/apache/inlong/manager/pojo/util/MySQLSensitiveUrlUtils.java+39 15 modified
    @@ -70,15 +70,7 @@ public static String filterSensitive(String url) {
                 resultUrl = URLDecoder.decode(resultUrl, "UTF-8");
             }
             resultUrl = resultUrl.replaceAll(InlongConstants.REGEX_WHITESPACE, InlongConstants.EMPTY);
-
-            String sensitiveKey = containSensitiveKey(resultUrl);
-            while (StringUtils.isNotBlank(sensitiveKey)) {
-                resultUrl = StringUtils.replaceIgnoreCase(resultUrl, sensitiveKey + InlongConstants.EQUAL + "true",
-                        InlongConstants.EMPTY);
-                resultUrl = StringUtils.replaceIgnoreCase(resultUrl, sensitiveKey + InlongConstants.EQUAL + "yes",
-                        InlongConstants.EMPTY);
-                sensitiveKey = containSensitiveKey(resultUrl);
-            }
+            resultUrl = filterSensitiveKeyByBracket(resultUrl);
             if (resultUrl.contains(InlongConstants.QUESTION_MARK)) {
                 StringBuilder builder = new StringBuilder();
                 builder.append(StringUtils.substringBefore(resultUrl, InlongConstants.QUESTION_MARK));
@@ -117,13 +109,45 @@ public static String filterSensitive(String url) {
         }
     }
 
-    public static String containSensitiveKey(String url) {
-        for (String key : SENSITIVE_REPLACE_PARAM_MAP.keySet()) {
-            if (StringUtils.containsIgnoreCase(url, key + InlongConstants.EQUAL + "true")
-                    || StringUtils.containsIgnoreCase(url, key + InlongConstants.EQUAL + "yes")) {
-                return key;
+    public static String filterSensitiveKeyByBracket(String url) {
+        if (!StringUtils.containsIgnoreCase(url, InlongConstants.LEFT_BRACKET)
+                || !StringUtils.containsIgnoreCase(url, InlongConstants.RIGHT_BRACKET)) {
+            return url;
+        }
+        StringBuilder builder = new StringBuilder();
+        String params;
+        while (StringUtils.containsIgnoreCase(url, InlongConstants.LEFT_BRACKET)
+                && StringUtils.containsIgnoreCase(url, InlongConstants.RIGHT_BRACKET)) {
+            int preIndex = url.indexOf(InlongConstants.LEFT_BRACKET);
+            int endIndex = url.indexOf(InlongConstants.RIGHT_BRACKET);
+            builder.append(url, 0, preIndex);
+            String temp = url.substring(preIndex + 1, endIndex);
+            List<String> paramList = new ArrayList<>();
+            for (String param : temp.split(InlongConstants.COMMA)) {
+                if (StringUtils.isBlank(param)) {
+                    continue;
+                }
+                String key = StringUtils.substringBefore(param, InlongConstants.EQUAL);
+                String value = StringUtils.substringAfter(param, InlongConstants.EQUAL);
+                if (SENSITIVE_REMOVE_PARAM_MAP.contains(key) || SENSITIVE_REPLACE_PARAM_MAP.containsKey(key)) {
+                    continue;
+                }
+                paramList.add(key + InlongConstants.EQUAL + value);
             }
+            params = StringUtils.join(paramList, InlongConstants.COMMA);
+            builder.append(InlongConstants.LEFT_BRACKET)
+                    .append(params)
+                    .append(InlongConstants.RIGHT_BRACKET);
+            url = url.substring(endIndex + 1);
         }
-        return null;
+        List<String> sensitiveParamList = new ArrayList<>();
+        SENSITIVE_REPLACE_PARAM_MAP
+                .forEach((key, value) -> sensitiveParamList.add(key + InlongConstants.EQUAL + value));
+        params = StringUtils.join(sensitiveParamList, InlongConstants.COMMA);
+        builder.append(InlongConstants.LEFT_BRACKET)
+                .append(params)
+                .append(InlongConstants.RIGHT_BRACKET)
+                .append(url);
+        return builder.toString();
     }
 }
  • inlong-manager/manager-pojo/src/test/java/org/apache/inlong/manager/pojo/sink/mysql/MySQLSinkDTOTest.java+11 2 modified
    @@ -33,7 +33,14 @@ public void testFilterSensitive() throws Exception {
         String originUrl = MySQLSinkDTO.filterSensitive(
                 "jdbc:mysql://127.0.0.1,(allowLoadLocalInfile=yeſ,allowUrlInLocalInfile=yeſ,allowLoadLocalInfileInPath=.,maxAllowedPacket=655360),:3307/test");
         Assertions.assertEquals(
-                "jdbc:mysql://127.0.0.1,(,,allowLoadLocalInfileInPath=.,maxAllowedPacket=655360),:3307/test",
+                "jdbc:mysql://127.0.0.1,(maxAllowedPacket=655360)(autoDeserialize=false,allowUrlInLocalInfile=false,allowLoadLocalInfile=false),:3307/test",
+                originUrl);
+
+        String jdbcUrl =
+                "jdbc:mysql://127.0.0.1,(allowLoadLocalInfile=%08true,allowUrlInLocalInfile=%08true,allowLoadLocalInfileInPath=.,maxAllowedPacket=655360),:3307/test";
+        originUrl = MySQLSinkDTO.filterSensitive(jdbcUrl);
+        Assertions.assertEquals(
+                "jdbc:mysql://127.0.0.1,(maxAllowedPacket=655360)(autoDeserialize=false,allowUrlInLocalInfile=false,allowLoadLocalInfile=false),:3307/test",
                 originUrl);
 
         originUrl = MySQLSinkDTO.filterSensitive(
@@ -44,7 +51,9 @@ public void testFilterSensitive() throws Exception {
 
         originUrl = MySQLSinkDTO.filterSensitive(
                 "jdbc:mysql://address=(host=127.0.0.1)(port=3306)(allowLoadallowLoadLocalInfile=trueLocalInfile=true)");
-        Assertions.assertEquals("jdbc:mysql://address=(host=127.0.0.1)(port=3306)()", originUrl);
+        Assertions.assertEquals(
+                "jdbc:mysql://address=(host=127.0.0.1)(port=3306)(allowLoadallowLoadLocalInfile=trueLocalInfile=true)(autoDeserialize=false,allowUrlInLocalInfile=false,allowLoadLocalInfile=false)",
+                originUrl);
 
         originUrl = MySQLSinkDTO.filterSensitive(
                 "jdbc:mysql://127.0.0.1:3306?autoReconnect=true&autoDeserialize = TRue&allowLoadLocalInfile=TRue&allowUrlInLocalInfile=TRue&allowLoadLocalInfileInPath=/");

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.