Vulnerability Description
# Summary Unauthorized users can perform Arbitrary File Read and Deserialization attack by submit job using restful api-v1. # Details Unauthorized users can access `/hazelcast/rest/maps/submit-job` to submit job. An attacker can set extra params in mysql url to perform Arbitrary File Read and Deserialization attack. This issue affects Apache SeaTunnel: <=2.3.10 # Fixed Users are recommended to upgrade to version 2.3.11, and enable restful api-v2 & open https two-way authentication , which fixes the issue.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Seatunnel | >= 2.3.1, < 2.3.11 |
Related Weaknesses (CWE)
References
- https://github.com/apache/seatunnel/pull/9010Issue TrackingPatch
- https://lists.apache.org/thread/qvh3zyt1jr25rgvw955rb8qjrnbxfro9Mailing ListVendor Advisory
- http://www.openwall.com/lists/oss-security/2025/04/12/1Mailing ListThird Party Advisory
FAQ
What is CVE-2025-32896?
CVE-2025-32896 is a vulnerability with a CVSS score of 6.5 (MEDIUM). # Summary Unauthorized users can perform Arbitrary File Read and Deserialization attack by submit job using restful api-v1. # Details Unauthorized users can access `/hazelcast/rest/maps/submit-job` ...
How severe is CVE-2025-32896?
CVE-2025-32896 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-32896?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Seatunnel.