CVE-2025-62728 – This SQL injection vulnerability in Apache Hive... (How to Fix)

Q: What is the severity of CVE-2025-62728?

CVE-2025-62728 has a CVSS score of 5.4 (MEDIUM). This SQL injection vulnerability in Apache Hive Metastore Server allows authorized users to execute arbitrary SQL commands when calling Thrift APIs to delete column statistics. It affects Hive versions 4.1.0 through 4.2.0. The risk is limited since HMS is typically only accessible to trusted applications like Hiveserver2 in most deployments.

📋 TL;DR

This SQL injection vulnerability in Apache Hive Metastore Server allows authorized users to execute arbitrary SQL commands when calling Thrift APIs to delete column statistics. It affects Hive versions 4.1.0 through 4.2.0. The risk is limited since HMS is typically only accessible to trusted applications like Hiveserver2 in most deployments.

💻 Affected Systems

Products:

Apache Hive Metastore Server

Versions: from 4.1.0 before 4.2.0

Operating Systems: All platforms running affected Hive versions

Default Config Vulnerable: ⚠️ Yes

Notes: Only exploitable when metastore.try.direct.sql is true (default) and when HMS Thrift APIs are accessible to authorized users.

📦 What is this software?

Hive by Apache

View all CVEs affecting Hive →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Authorized attackers could execute arbitrary SQL commands, potentially leading to data manipulation, data exfiltration, or denial of service.

🟠

Likely Case

Limited impact since only trusted applications can access the vulnerable Thrift APIs in typical deployments, and many installations already have metastore.try.direct.sql set to false.

🟢

If Mitigated

No impact if metastore.try.direct.sql is set to false or if HMS Thrift APIs are not exposed to untrusted users.

🌐 Internet-Facing: LOW with brief explanation

🏢 Internal Only: MEDIUM with brief explanation

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires authorized access to HMS Thrift APIs and knowledge of SQL injection techniques.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.2.0

Vendor Advisory: https://lists.apache.org/thread/yj65dd8dmzgy8p3nv8zy33v8knzg9o7g

Restart Required: Yes

Instructions:

1. Download Apache Hive 4.2.0 or later. 2. Stop Hive Metastore Server. 3. Replace existing installation with patched version. 4. Restart Hive Metastore Server.

🔧 Temporary Workarounds

Disable direct SQL execution

all

Set metastore.try.direct.sql property to false to prevent reaching vulnerable code path

Set metastore.try.direct.sql=false in hive-site.xml or equivalent configuration

🧯 If You Can't Patch

Restrict access to HMS Thrift APIs to only trusted applications
Implement network segmentation to isolate HMS from untrusted networks

🔍 How to Verify

Check if Vulnerable:

Check Hive version and verify if metastore.try.direct.sql is set to true

Check Version:

hive --version

Verify Fix Applied:

Verify Hive version is 4.2.0 or later, or confirm metastore.try.direct.sql is set to false

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in HMS logs
Multiple delete column statistics requests from single source
SQL syntax errors in Thrift API logs

Network Indicators:

Unusual traffic patterns to HMS Thrift API endpoints
SQL injection patterns in API requests

SIEM Query:

source="hive-metastore.log" AND ("delete column statistics" OR "CWE-89" OR "SQL injection")

📊 Metadata

CVE ID: CVE-2025-62728

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CWE: CWE-89

EPSS Score: 0.11% exploit probability (28.8th percentile)

Published: November 26, 2025

Last Updated: December 4, 2025

🔗 References

https://lists.apache.org/thread/yj65dd8dmzgy8p3nv8zy33v8knzg9o7g Vendor Advisory
http://www.openwall.com/lists/oss-security/2025/11/26/3 Mailing List,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-62728, you might also want to check these: