Apache IoTDB: DoS Vulnerability
Description
A vulnerability in Apache IoTDB.
This issue affects Apache IoTDB: from 1.3.3 through 1.3.4, from 2.0.1-beta through 2.0.4.
Users are recommended to upgrade to version 2.0.5, which fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache IoTDB versions 1.3.3 through 1.3.4 and 2.0.1-beta through 2.0.4 are vulnerable to a denial-of-service (DoS) attack; upgrade to 2.0.5 to fix.
Vulnerability
Overview
CVE-2025-48392 is a denial-of-service (DoS) vulnerability affecting Apache IoTDB, a time-series database management system. The issue impacts versions 1.3.3 through 1.3.4 and 2.0.1-beta through 2.0.4 [1][2][3]. The root cause lies in how the software handles certain requests, potentially allowing an attacker to cause excessive resource consumption or crash the service.
Exploitation
An attacker can exploit this vulnerability without requiring authentication, as the attack vector is network-based. By sending specially crafted requests to an affected IoTDB instance, the attacker can trigger the DoS condition. No special privileges or user interaction are needed for exploitation [3].
Impact
Successful exploitation leads to a denial-of-service condition, making the IoTDB service unavailable to legitimate users. This can disrupt time-series data collection, storage, and analysis operations that rely on IoTDB, potentially affecting industrial IoT systems and other dependent applications [1][3].
Mitigation
The Apache IoTDB project has released version 2.0.5, which fixes the vulnerability. Users are recommended to upgrade immediately. No workarounds have been provided for affected versions [2][3].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.iotdb:iotdb-coreMaven | >= 1.3.3, < 2.0.5 | 2.0.5 |
Affected products
2- Apache Software Foundation/Apache IoTDBv5Range: 1.3.3
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-vx84-xvr8-w24cghsaADVISORY
- lists.apache.org/thread/1rn0637hptglmctf8cqd9425bj4q21tdghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2025-48392ghsaADVISORY
- www.openwall.com/lists/oss-security/2025/09/24/9ghsaWEB
News mentions
0No linked articles in our index yet.