CVE-2025-62728 — MEDIUM (5.4)

Vulnerability Description

SQL injection vulnerability in Hive Metastore Server (HMS) when processing delete column statistics requests via the Thrift APIs. The vulnerability is only exploitable by trusted/authorized users/applications that are allowed to call directly the Thrift APIs. In most real-world deployments, HMS is accessible to only a handful of applications (e.g., Hiveserver2) thus the vulnerability is not exploitable. Moreover, the vulnerable code cannot be reached when metastore.try.direct.sql property is set to false. This issue affects Apache Hive: from 4.1.0 before 4.2.0. Users are recommended to upgrade to version 4.2.0, which fixes the issue. Users who cannot upgrade directly are encouraged to set metastore.try.direct.sql property to false if the HMS Thrift APIs are exposed to general public.

CVSS Score

5.4

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Apache	Hive	4.1.0

Related Weaknesses (CWE)

CWE-89

References

https://lists.apache.org/thread/yj65dd8dmzgy8p3nv8zy33v8knzg9o7gVendor Advisory
http://www.openwall.com/lists/oss-security/2025/11/26/3Mailing ListThird Party Advisory

FAQ

What is CVE-2025-62728?

CVE-2025-62728 is a vulnerability with a CVSS score of 5.4 (MEDIUM). SQL injection vulnerability in Hive Metastore Server (HMS) when processing delete column statistics requests via the Thrift APIs. The vulnerability is only exploitable by trusted/authorized users/appl...

How severe is CVE-2025-62728?

CVE-2025-62728 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2025-62728?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Hive.