CVE-2024-41177 – Apache Zeppelin versions before 0.12.0 have an ... (How to Fix)

Q: What is the severity of CVE-2024-41177?

CVE-2024-41177 has a CVSS score of 6.1 (MEDIUM). Apache Zeppelin versions before 0.12.0 have an incomplete blacklist that fails to properly sanitize user input, allowing attackers to inject malicious scripts. This Cross-Site Scripting (XSS) vulnerability affects all users of vulnerable Zeppelin instances, potentially compromising user sessions and data. The issue is fixed in version 0.12.0.

📋 TL;DR

Apache Zeppelin versions before 0.12.0 have an incomplete blacklist that fails to properly sanitize user input, allowing attackers to inject malicious scripts. This Cross-Site Scripting (XSS) vulnerability affects all users of vulnerable Zeppelin instances, potentially compromising user sessions and data. The issue is fixed in version 0.12.0.

💻 Affected Systems

Products:

Apache Zeppelin

Versions: All versions before 0.12.0

Operating Systems: All operating systems running Apache Zeppelin

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations of affected versions are vulnerable. The vulnerability exists in the blacklist-based input sanitization mechanism.

📦 What is this software?

Zeppelin by Apache

View all CVEs affecting Zeppelin →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or install malware on user systems.

🟠

Likely Case

Session hijacking, credential theft, or defacement of Zeppelin notebooks through injected scripts.

🟢

If Mitigated

Limited impact with proper input validation, output encoding, and Content Security Policy headers in place.

🌐 Internet-Facing: HIGH - Internet-facing Zeppelin instances are directly accessible to attackers who can craft malicious payloads.

🏢 Internal Only: MEDIUM - Internal instances still vulnerable to insider threats or compromised internal systems.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires finding bypasses for the incomplete blacklist. No public exploit code is currently available, but XSS vulnerabilities are commonly exploited.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.12.0

Vendor Advisory: https://lists.apache.org/thread/nwh8vh9f3pnvt04n8z4g2kbddh62blr6

Restart Required: No

Instructions:

1. Download Apache Zeppelin 0.12.0 or later from the official website. 2. Stop the current Zeppelin service. 3. Replace the installation with the new version. 4. Start the Zeppelin service. 5. Verify the upgrade was successful.

🔧 Temporary Workarounds

Implement Content Security Policy

all

Add strict Content Security Policy headers to limit script execution sources

Add 'Content-Security-Policy: default-src 'self'; script-src 'self'' to HTTP headers

Input Validation Filter

all

Implement additional input validation at the web server or application layer

Configure web server (Apache/Nginx) to filter suspicious patterns in user input

🧯 If You Can't Patch

Isolate Zeppelin instances behind a web application firewall (WAF) with XSS protection rules
Restrict access to Zeppelin to trusted users only using network segmentation and authentication

🔍 How to Verify

Check if Vulnerable:

Check Zeppelin version via web interface or configuration files. Versions below 0.12.0 are vulnerable.

Check Version:

Check the Zeppelin web interface or examine the installation directory for version information

Verify Fix Applied:

After upgrading, verify version is 0.12.0 or higher and test XSS payloads are properly sanitized.

📡 Detection & Monitoring

Log Indicators:

Unusual script tags or JavaScript in user input logs
Multiple failed sanitization attempts

Network Indicators:

HTTP requests containing suspicious script patterns or encoded payloads

SIEM Query:

source="zeppelin" AND ("<script" OR "javascript:" OR "onerror=" OR "onload=")

📊 Metadata

CVE ID: CVE-2024-41177

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.21% exploit probability (42.7th percentile)

Published: August 3, 2025

Last Updated: November 4, 2025

🔗 References

https://github.com/apache/zeppelin/pull/4755 Issue Tracking
https://github.com/apache/zeppelin/pull/4795 Exploit,Issue Tracking
https://lists.apache.org/thread/nwh8vh9f3pnvt04n8z4g2kbddh62blr6 Vendor Advisory
http://www.openwall.com/lists/oss-security/2025/08/03/4

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-41177, you might also want to check these: