Low severityNVD Advisory· Published Jun 19, 2025· Updated Jun 20, 2025
Apache SeaTunnel: Unauthenticated insecure access
CVE-2025-32896
Description
# Summary
Unauthorized users can perform Arbitrary File Read and Deserialization attack by submit job using restful api-v1.
# Details Unauthorized users can access /hazelcast/rest/maps/submit-job to submit job. An attacker can set extra params in mysql url to perform Arbitrary File Read and Deserialization attack.
This issue affects Apache SeaTunnel: <=2.3.10
# Fixed
Users are recommended to upgrade to version 2.3.11, and enable restful api-v2 & open https two-way authentication , which fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.seatunnel:seatunnel-engine-serverMaven | < 2.3.11 | 2.3.11 |
org.apache.seatunnel:seatunnel-engine-commonMaven | < 2.3.11 | 2.3.11 |
Affected products
3- ghsa-coords2 versionspkg:maven/org.apache.seatunnel/seatunnel-engine-commonpkg:maven/org.apache.seatunnel/seatunnel-engine-server
< 2.3.11+ 1 more
- (no CPE)range: < 2.3.11
- (no CPE)range: < 2.3.11
Patches
Vulnerability mechanics
References
6- github.com/apache/seatunnel/pull/9010ghsapatchWEB
- github.com/advisories/GHSA-9x53-gr7p-4qf5ghsaADVISORY
- lists.apache.org/thread/qvh3zyt1jr25rgvw955rb8qjrnbxfro9ghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2025-32896ghsaADVISORY
- www.openwall.com/lists/oss-security/2025/04/12/1ghsaWEB
- github.com/apache/seatunnel/commit/53325aa3e76e3939f41a4bf3eaaf3ee56f13f311ghsaWEB
News mentions
0No linked articles in our index yet.