CVE-2025-58337 – This vulnerability allows attackers with valid ... (How to Fix)

Q: What is the severity of CVE-2025-58337?

CVE-2025-58337 has a CVSS score of 5.4 (MEDIUM). This vulnerability allows attackers with valid read-only accounts to bypass access controls in Doris MCP Server, enabling unauthorized modifications that should be prevented by read-only restrictions. Organizations using vulnerable versions of Doris MCP Server with read-only user accounts are affected.

📋 TL;DR

This vulnerability allows attackers with valid read-only accounts to bypass access controls in Doris MCP Server, enabling unauthorized modifications that should be prevented by read-only restrictions. Organizations using vulnerable versions of Doris MCP Server with read-only user accounts are affected.

💻 Affected Systems

Products:

Apache Doris MCP Server

Versions: Versions before 0.6.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems with read-only user accounts configured.

📦 What is this software?

Doris Mcp Server by Apache

View all CVEs affecting Doris Mcp Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could modify critical configuration, alter data integrity, or disrupt service operations despite having only read-only permissions.

🟠

Likely Case

Unauthorized data modification or configuration changes by users who should only have viewing privileges.

🟢

If Mitigated

Limited impact if proper network segmentation and least privilege access are already implemented.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Requires valid read-only credentials; exploitation is straightforward once authenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.6.0

Vendor Advisory: https://lists.apache.org/thread/6tswlphj0pqn9zf25594r3c1vzvfj40h

Restart Required: Yes

Instructions:

1. Backup current configuration and data. 2. Download version 0.6.0 from official Apache Doris repository. 3. Stop the Doris MCP Server service. 4. Replace with patched version. 5. Restart the service. 6. Verify functionality.

🔧 Temporary Workarounds

Restrict read-only account access

all

Temporarily disable or restrict permissions for read-only accounts until patching is complete.

# Review and modify user permissions in Doris configuration

🧯 If You Can't Patch

Implement strict network segmentation to isolate Doris MCP Server from untrusted networks
Enforce principle of least privilege by reviewing and minimizing read-only account usage

🔍 How to Verify

Check if Vulnerable:

Check if running Doris MCP Server version earlier than 0.6.0 and if read-only accounts are configured.

Check Version:

Check Doris MCP Server documentation for version command specific to your installation method.

Verify Fix Applied:

Confirm version is 0.6.0 or later and test that read-only accounts cannot perform modifications.

📡 Detection & Monitoring

Log Indicators:

Unauthorized modification attempts by read-only users
Access control violation logs

Network Indicators:

Unexpected write operations from accounts with read-only permissions

SIEM Query:

Search for authentication events followed by write/modify operations from accounts with read-only roles.

📊 Metadata

CVE ID: CVE-2025-58337

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CWE: CWE-284

EPSS Score: 0.11% exploit probability (29.8th percentile)

Published: November 5, 2025

Last Updated: November 12, 2025

🔗 References

https://lists.apache.org/thread/6tswlphj0pqn9zf25594r3c1vzvfj40h Mailing List,Vendor Advisory
http://www.openwall.com/lists/oss-security/2025/11/04/5 Mailing List,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-58337, you might also want to check these: