CVE-2025-61735 – This CVE describes a Server-Side Request Forger... (How to Fix)

Q: What is the severity of CVE-2025-61735?

CVE-2025-61735 has a CVSS score of 7.3 (HIGH). This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in Apache Kylin that allows attackers to make unauthorized requests from the server to internal or external systems. It affects Apache Kylin versions 4.0.0 through 5.0.2 when system or project admin access is not properly secured. Attackers could potentially access internal services or sensitive data.

📋 TL;DR

This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in Apache Kylin that allows attackers to make unauthorized requests from the server to internal or external systems. It affects Apache Kylin versions 4.0.0 through 5.0.2 when system or project admin access is not properly secured. Attackers could potentially access internal services or sensitive data.

💻 Affected Systems

Products:

Apache Kylin

Versions: 4.0.0 through 5.0.2

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists when Kylin's system and project admin access is not well protected.

📦 What is this software?

Kylin by Apache

View all CVEs affecting Kylin →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could access internal services, exfiltrate sensitive data, or pivot to other systems within the network environment.

🟠

Likely Case

Unauthorized access to internal HTTP services, potential data leakage from internal APIs or services.

🟢

If Mitigated

Limited impact if proper access controls are enforced and network segmentation restricts internal service access.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires some level of access to Kylin system, though specific authentication requirements are not detailed in the advisory.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.0.3

Vendor Advisory: https://lists.apache.org/thread/yscobmx869zvprsykb94r24jtmb58ckh

Restart Required: Yes

Instructions:

1. Backup current Kylin configuration and data. 2. Download Apache Kylin 5.0.3 from official sources. 3. Stop the Kylin service. 4. Replace with version 5.0.3. 5. Restart the Kylin service. 6. Verify functionality.

🔧 Temporary Workarounds

Restrict Admin Access

all

Implement strict access controls for Kylin system and project admin interfaces

Network Segmentation

all

Restrict Kylin server's outbound network access to only necessary services

🧯 If You Can't Patch

Implement strict network segmentation to limit Kylin server's ability to reach internal services
Enforce strong authentication and authorization controls for all Kylin admin interfaces

🔍 How to Verify

Check if Vulnerable:

Check Apache Kylin version via web interface or configuration files. Versions 4.0.0 through 5.0.2 are vulnerable.

Check Version:

Check KYLIN_HOME/conf/kylin.properties or web interface for version information

Verify Fix Applied:

Verify version is 5.0.3 or higher. Test SSRF functionality is properly restricted.

📡 Detection & Monitoring

Log Indicators:

Unusual outbound HTTP requests from Kylin server
Access to internal services from Kylin IP

Network Indicators:

HTTP requests from Kylin server to unexpected internal endpoints
Outbound connections to unusual ports from Kylin

SIEM Query:

source_ip="kylin_server_ip" AND (dest_port NOT IN (80,443) OR dest_ip IN (internal_ranges))

📊 Metadata

CVE ID: CVE-2025-61735

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-918

EPSS Score: 0.08% exploit probability (24.1th percentile)

Published: October 2, 2025

Last Updated: November 4, 2025

🔗 References

https://lists.apache.org/thread/yscobmx869zvprsykb94r24jtmb58ckh Issue Tracking,Vendor Advisory
http://www.openwall.com/lists/oss-security/2025/09/30/9

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-61735, you might also want to check these: