CVE-2025-26866
BaseFortify
Publication date: 2025-12-12
Last updated on: 2025-12-29
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | hugegraph | From 1.0.0 (inc) to 1.7.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a remote code execution issue where a malicious Raft node can exploit insecure Hessian deserialization within the PD store. This means that an attacker can send specially crafted data that, when deserialized, allows them to execute arbitrary code on the system. The vulnerability arises because the deserialization process does not properly restrict which classes can be instantiated, allowing object injection attacks.
How can this vulnerability impact me? :
If exploited, this vulnerability can allow an attacker to execute arbitrary code remotely within the PD store environment. This could lead to unauthorized control over the system, data compromise, service disruption, or further attacks within the cluster.
What immediate steps should I take to mitigate this vulnerability?
Upgrade to version 1.7.0 of the PD store, which includes fixes such as enforcing IP-based authentication to restrict cluster membership and implementing a strict class whitelist to harden the Hessian serialization process against object injection attacks.