CVE-2025-62728
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-11-26

Last updated on: 2025-12-04

Assigner: Apache Software Foundation

Description
SQL injection vulnerability in Hive Metastore Server (HMS) when processing delete column statistics requests via the Thrift APIs. The vulnerability is only exploitable by trusted/authorized users/applications that are allowed to call directly the Thrift APIs. In most real-world deployments, HMS is accessible to only a handful of applications (e.g., Hiveserver2) thus the vulnerability is not exploitable. Moreover, the vulnerable code cannot be reached when metastore.try.direct.sql property is set to false. This issue affects Apache Hive: from 4.1.0 before 4.2.0. Users are recommended to upgrade to version 4.2.0, which fixes the issue. Users who cannot upgrade directly are encouraged to setΒ metastore.try.direct.sql property to false if the HMS Thrift APIs are exposed to general public.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-11-26
Last Modified
2025-12-04
Generated
2026-06-16
AI Q&A
2025-11-26
EPSS Evaluated
2026-06-15
NVD
CVE-2025-62728
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
apache hive 4.1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a SQL injection issue in the Hive Metastore Server (HMS) that occurs when processing delete column statistics requests via the Thrift APIs. It allows trusted or authorized users or applications that can directly call the Thrift APIs to potentially execute malicious SQL commands. However, in most deployments, HMS is only accessible to a limited set of applications, reducing the risk of exploitation. Additionally, the vulnerability can be mitigated by setting the metastore.try.direct.sql property to false, which disables the vulnerable code path.

Impact Analysis

If exploited by a trusted or authorized user or application with access to the Thrift APIs, this SQL injection vulnerability could allow unauthorized manipulation or deletion of data within the Hive Metastore. This could lead to data integrity issues or unauthorized data modification. However, the risk is limited because only trusted users with direct API access can exploit it, and the vulnerability is not reachable if the metastore.try.direct.sql property is set to false.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Apache Hive to version 4.2.0 or later. If upgrading is not immediately possible and the Hive Metastore Server Thrift APIs are exposed to general public or untrusted users, set the metastore.try.direct.sql property to false to prevent exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-62728. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart