High severityOSV Advisory· Published Jan 26, 2026· Updated Jan 26, 2026
HDFS native client: Out of bounds write in URI parser of native HDFS client
CVE-2025-27821
Description
Out-of-bounds Write vulnerability in Apache Hadoop HDFS native client.
This issue affects Apache Hadoop: from 3.2.0 before 3.4.2.
Users are recommended to upgrade to version 3.4.2, which fixes the issue.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.hadoop:hadoop-hdfs-native-clientMaven | >= 3.2.0, < 3.4.2 | 3.4.2 |
Affected products
1Patches
12b32e46f666cHDFS-17754. Add uriparser2 to notices (#7481)
3 files changed · +28 −1
hadoop-hdfs-project/hadoop-hdfs-native-client/src/main/native/libhdfspp/third_party/uriparser2/uriparser2/uriparser/UriQuery.c+1 −0 modified@@ -219,6 +219,7 @@ int URI_FUNC(ComposeQueryEngine)(URI_CHAR * dest, /* Copy key */ if (firstItem == URI_TRUE) { + ampersandLen = 1; firstItem = URI_FALSE; } else { write[0] = _UT('&');
licenses-binary/LICENSE-uriparser2.txt+19 −0 added@@ -0,0 +1,19 @@ +Copyright (c) 2010 Ben Noordhuis + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +THE SOFTWARE.
NOTICE-binary+8 −1 modified@@ -809,7 +809,7 @@ This product includes software developed by Apache PureJavaCrc32C from apache-hadoop-common http://hadoop.apache.org/ (Apache 2.0 license) -This library containd statically linked libstdc++. This inclusion is allowed by +This library contains statically linked libstdc++. This inclusion is allowed by "GCC RUntime Library Exception" http://gcc.gnu.org/onlinedocs/libstdc++/manual/license.html @@ -825,3 +825,10 @@ Copyright 2009-2018 The Apache Software Foundation This product includes software developed at The Apache Software Foundation (http://www.apache.org/). + +This product includes code from uriparser2, a C and C++ library for URI parsing. + + * LICENSE: + * license/LICENSE-uriparser2.txt (MIT License) + * HOMEPAGE: + * https://github.com/bnoordhuis/uriparser2
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-92cc-952p-v8rhghsaADVISORY
- lists.apache.org/thread/kwjhyyx0wl2z9b0mw0styjk0hhdbyplhghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2025-27821ghsaADVISORY
- www.openwall.com/lists/oss-security/2026/01/23/7ghsaWEB
- github.com/apache/hadoop/commit/2b32e46f666c7645f5d1e026be3982b99319ccb8ghsaWEB
- github.com/apache/hadoop/pull/7481ghsaWEB
- issues.apache.org/jira/browse/HDFS-17754ghsaWEB
News mentions
0No linked articles in our index yet.