CVE-2025-66524
Unfiltered Java Deserialization in Apache NiFi GetAsanaObject Processor
Publication date: 2025-12-19
Last updated on: 2025-12-19
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | nifi | 2.6.0 |
| apache | nifi | 1.20.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects Apache NiFi versions 1.20.0 through 2.6.0 in the GetAsanaObject Processor, which uses generic Java object serialization and deserialization without filtering. Because of this, an attacker with direct access to the configured Distributed Map Cache Client Service can exploit crafted state information stored in the cache server. This unfiltered deserialization can lead to remote code execution or other malicious actions. Exploitation requires both the vulnerable processor running and direct access to the cache server. [2]
How can this vulnerability impact me? :
If exploited, this vulnerability can allow an attacker to execute arbitrary code or perform other malicious actions on the Apache NiFi system by exploiting crafted serialized objects stored in the cache server. This can compromise the integrity, confidentiality, and availability of the system running the vulnerable GetAsanaObject Processor. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves verifying if your Apache NiFi deployment is running a vulnerable version (1.20.0 through 2.6.0) with the GetAsanaObject Processor enabled and if the configured Distributed Map Cache Client Service is accessible. You can check the NiFi version and installed processors via the NiFi UI or CLI. For example, use the NiFi CLI command to list processors and check for 'GetAsanaObject'. Additionally, verify network access to the cache server configured for the GetAsanaObject Processor. Specific commands depend on your environment, but generally: 1) Check NiFi version: 'nifi.sh status' or via UI. 2) List processors: use NiFi REST API or CLI to find 'GetAsanaObject'. 3) Test connectivity to the cache server (e.g., 'telnet <cache-server-ip> <port>' or 'nc -vz <cache-server-ip> <port>'). [2]
What immediate steps should I take to mitigate this vulnerability?
The recommended immediate mitigation is to upgrade Apache NiFi to version 2.7.0 or later, which replaces the vulnerable Java object serialization with safer JSON serialization. If upgrading is not immediately possible, removing the GetAsanaObject Processor from the nifi-asana-processors-nar bundle will also prevent exploitation. Additionally, restrict network access to the configured Distributed Map Cache Client Service to prevent unauthorized access to the cache server. [2]