CVE-2025-27528 – This vulnerability allows attackers to exploit ... (How to Fix)

Q: What is the severity of CVE-2025-27528?

CVE-2025-27528 has a CVSS score of 9.1 (CRITICAL). This vulnerability allows attackers to exploit insecure deserialization in Apache InLong's JDBC component, enabling arbitrary file reading on affected systems. It affects Apache InLong versions 1.13.0 through 2.1.0, potentially exposing sensitive data. Organizations using these versions for data integration are at risk.

📋 TL;DR

This vulnerability allows attackers to exploit insecure deserialization in Apache InLong's JDBC component, enabling arbitrary file reading on affected systems. It affects Apache InLong versions 1.13.0 through 2.1.0, potentially exposing sensitive data. Organizations using these versions for data integration are at risk.

💻 Affected Systems

Products:

Apache InLong

Versions: 1.13.0 through 2.1.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the JDBC component specifically; any InLong deployment with JDBC functionality enabled is vulnerable.

📦 What is this software?

Inlong by Apache

View all CVEs affecting Inlong →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could read sensitive system files, configuration files, or database credentials, leading to complete system compromise and data exfiltration.

🟠

Likely Case

Attackers would exploit this to read configuration files containing credentials or sensitive data, potentially escalating to further system access.

🟢

If Mitigated

With proper network segmentation and access controls, impact would be limited to the InLong service's file system access permissions.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

The vulnerability bypasses JDBC security mechanisms, suggesting exploitation requires understanding of InLong's JDBC implementation but no authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.2.0

Vendor Advisory: https://lists.apache.org/thread/b807rqzgyv4qgvxw3nhkq8tl6g90gqgj

Restart Required: Yes

Instructions:

1. Backup current configuration and data. 2. Upgrade Apache InLong to version 2.2.0. 3. Restart all InLong services. 4. Verify functionality post-upgrade.

🔧 Temporary Workarounds

Disable JDBC Component

all

Temporarily disable the vulnerable JDBC component if not required for operations.

Modify InLong configuration to disable JDBC connectors

🧯 If You Can't Patch

Implement strict network access controls to limit InLong service exposure
Monitor file system access logs for unusual read patterns on sensitive files

🔍 How to Verify

Check if Vulnerable:

Check Apache InLong version; if between 1.13.0 and 2.1.0 inclusive, the system is vulnerable.

Check Version:

Check InLong configuration files or application logs for version information.

Verify Fix Applied:

Verify version is 2.2.0 or later and test JDBC functionality to ensure it works without allowing arbitrary file reads.

📡 Detection & Monitoring

Log Indicators:

Unusual file access patterns from InLong processes
JDBC connection attempts with malformed data

Network Indicators:

Unexpected network traffic to InLong JDBC endpoints

SIEM Query:

source="inlong.log" AND ("file read" OR "deserialization error")

📊 Metadata

CVE ID: CVE-2025-27528

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-502

EPSS Score: 0.14% exploit probability (34.8th percentile)

Published: May 28, 2025

Last Updated: June 3, 2025

🔗 References

https://github.com/apache/inlong/pull/11747 Issue Tracking
https://lists.apache.org/thread/b807rqzgyv4qgvxw3nhkq8tl6g90gqgj Vendor Advisory
http://www.openwall.com/lists/oss-security/2025/05/28/3 Mailing List,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-27528, you might also want to check these: