CVE-2025-66524
Unknown Unknown - Not Provided
Unfiltered Java Deserialization in Apache NiFi GetAsanaObject Processor

Publication date: 2025-12-19

Last updated on: 2025-12-19

Assigner: Apache Software Foundation

Description
Apache NiFi 1.20.0 through 2.6.0 include the GetAsanaObject Processor, which requires integration with a configurable Distribute Map Cache Client Service for storing and retrieving state information. The GetAsanaObject Processor used generic Java Object serialization and deserialization without filtering. Unfiltered Java object deserialization does not provide protection against crafted state information stored in the cache server configured for GetAsanaObject. Exploitation requires an Apache NiFi system running with the GetAsanaObject Processor, and direct access to the configured cache server. Upgrading to Apache NiFi 2.7.0 is the recommended mitigation, which replaces Java Object serialization with JSON serialization. Removing the GetAsanaObject Processor located in the nifi-asana-processors-nar bundle also prevents exploitation.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-19
Last Modified
2025-12-19
Generated
2026-06-16
AI Q&A
2025-12-19
EPSS Evaluated
2026-06-15
NVD
CVE-2025-66524
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
apache nifi 2.6.0
apache nifi 1.20.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects Apache NiFi versions 1.20.0 through 2.6.0 in the GetAsanaObject Processor, which uses generic Java object serialization and deserialization without filtering. Because of this, an attacker with direct access to the configured Distributed Map Cache Client Service can exploit crafted state information stored in the cache server. This unfiltered deserialization can lead to remote code execution or other malicious actions. Exploitation requires both the vulnerable processor running and direct access to the cache server. [2]

Impact Analysis

If exploited, this vulnerability can allow an attacker to execute arbitrary code or perform other malicious actions on the Apache NiFi system by exploiting crafted serialized objects stored in the cache server. This can compromise the integrity, confidentiality, and availability of the system running the vulnerable GetAsanaObject Processor. [2]

Detection Guidance

Detection involves verifying if your Apache NiFi deployment is running a vulnerable version (1.20.0 through 2.6.0) with the GetAsanaObject Processor enabled and if the configured Distributed Map Cache Client Service is accessible. You can check the NiFi version and installed processors via the NiFi UI or CLI. For example, use the NiFi CLI command to list processors and check for 'GetAsanaObject'. Additionally, verify network access to the cache server configured for the GetAsanaObject Processor. Specific commands depend on your environment, but generally: 1) Check NiFi version: 'nifi.sh status' or via UI. 2) List processors: use NiFi REST API or CLI to find 'GetAsanaObject'. 3) Test connectivity to the cache server (e.g., 'telnet <cache-server-ip> <port>' or 'nc -vz <cache-server-ip> <port>'). [2]

Mitigation Strategies

The recommended immediate mitigation is to upgrade Apache NiFi to version 2.7.0 or later, which replaces the vulnerable Java object serialization with safer JSON serialization. If upgrading is not immediately possible, removing the GetAsanaObject Processor from the nifi-asana-processors-nar bundle will also prevent exploitation. Additionally, restrict network access to the configured Distributed Map Cache Client Service to prevent unauthorized access to the cache server. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-66524. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart