CVE-2021-25646

HIGH EXPLOITED IN THE WILD NUCLEI

Apache Druid < 0.20.0 - Authenticated Remote Code Execution via JavaScript Code Injection

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2021-25646 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). EIP tracks 13 public exploits from researchers including 1n7erface, yaunsky, k7pro, including a Metasploit module exploits/linux/http/apache_druid_js_rce. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository is a list of PoCs for various vulnerabilities, including CVE-2020-14883. It does not contain actual exploit code but references multiple vulnerabilities and their corresponding PoCs.

Description

Apache Druid includes the ability to execute user-provided JavaScript code embedded in various types of requests. This functionality is intended for use in high-trust environments, and is disabled by default. However, in Druid 0.20.0 and earlier, it is possible for an authenticated user to send a specially-crafted request that forces Druid to run user-provided JavaScript code for that request, regardless of server configuration. This can be leveraged to execute code on the target machine with the privileges of the Druid server process.

Exploits (13)

nomisec WRITEUP 1,079 stars
by 1n7erface · poc
https://github.com/1n7erface/PocList

This repository is a list of PoCs for various vulnerabilities, including CVE-2020-14883. It does not contain actual exploit code but references multiple vulnerabilities and their corresponding PoCs.

Classification
Writeup 90%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: Multiple (including Oracle WebLogic, Apache Solr, etc.)
No auth needed
Prerequisites: Access to the repository
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 17 stars
by yaunsky · remote
https://github.com/yaunsky/cve-2021-25646

This repository contains a functional exploit for CVE-2021-25646, an RCE vulnerability in Apache Druid. The exploit leverages the lack of authentication to send a crafted JSON payload to the '/druid/indexer/v1/sampler' endpoint, executing arbitrary commands via a JavaScript filter function.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache Druid < 0.20.1
No auth needed
Prerequisites: Network access to the Druid server · Druid server with default or no authentication
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 5 stars
by k7pro · remote
https://github.com/k7pro/CVE-2021-25646-exp

This repository contains a functional exploit tool for CVE-2021-25646, an Apache Druid remote code execution vulnerability. The tool supports vulnerability detection and command execution, including reverse shell capabilities.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache Druid
No auth needed
Prerequisites: Network access to the target Apache Druid instance
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 4 stars
by j2ekim · remote
https://github.com/j2ekim/CVE-2021-25646

This repository contains a functional exploit for CVE-2021-25646, an RCE vulnerability in Apache Druid. The exploit leverages a JavaScript injection in the 'filter' function of the 'transformSpec' to execute arbitrary commands via Java's Runtime.exec().

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Apache Druid < 0.20.1
No auth needed
Prerequisites: Network access to the target Apache Druid instance · Target must be running a vulnerable version of Apache Druid
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec SUSPICIOUS 3 stars
by Vulnmachines · remote
https://github.com/Vulnmachines/Apache-Druid-CVE-2021-25646

The repository contains only a README with a YouTube link and no actual exploit code or technical details about CVE-2021-25646. This is characteristic of a social engineering lure.

Classification
Suspicious 90%
Attack Type
Other
Complexity
Theoretical
Reliability
Theoretical
Target: Apache Druid
No auth needed
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec SCANNER 3 stars
by givemefivw · poc
https://github.com/givemefivw/CVE-2021-25646

This repository contains a Wker script for detecting CVE-2021-25646, an Apache Druid remote code execution vulnerability. It uses DNSLog to verify the presence of the vulnerability by sending a crafted request and checking for DNS callbacks.

Classification
Scanner 80%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache Druid
No auth needed
Prerequisites: DNSLog account · Network access to target
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 2 stars
by lp008 · poc
https://github.com/lp008/CVE-2021-25646

This repository contains a functional exploit for CVE-2021-25646, an RCE vulnerability in Apache Druid. The exploit leverages a malicious JavaScript function in the 'filter' parameter of a POST request to execute arbitrary commands via `java.lang.Runtime.getRuntime().exec()`.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Apache Druid (versions prior to 0.20.1)
No auth needed
Prerequisites: Network access to the Druid server · Druid server with exposed indexer endpoint
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 1 stars
by Ormicron · poc
https://github.com/Ormicron/CVE-2021-25646-GUI

This repository contains a GUI-based exploit for CVE-2021-25646, which appears to be a command injection vulnerability. The tool allows users to input a target URL and a command, then executes the command on the target system via HTTP requests.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Unknown (likely a web application or service vulnerable to command injection)
No auth needed
Prerequisites: Network access to the target system · Target system must be vulnerable to CVE-2021-25646
devstral-2 · analyzed Feb 18, 2026 Full analysis →
gitlab WORKING POC
by bybsecs · poc
https://gitlab.com/bybsecs/cve-2021-25646

This repository contains a functional exploit for CVE-2021-25646, an RCE vulnerability in Apache Druid. The exploit leverages a JavaScript filter in the transformSpec to execute arbitrary commands via java.lang.Runtime.getRuntime().exec().

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Apache Druid < 0.20.1
No auth needed
Prerequisites: Network access to the Druid server · Druid server with vulnerable version
devstral-2 · analyzed Feb 23, 2026 Full analysis →
nomisec WORKING POC
by ShadowLance2 · remote
https://github.com/ShadowLance2/Apache-Druid-CVE-2021-25646-Exploit

This repository contains a functional Python exploit for CVE-2021-25646, an RCE vulnerability in Apache Druid. The exploit leverages JavaScript code injection via a crafted sampler request to execute arbitrary commands on the target system.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache Druid < 0.20.1
No auth needed
Prerequisites: Network access to the Druid server · Druid server with vulnerable version (< 0.20.1)
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by tiemio · remote
https://github.com/tiemio/RCE-PoC-CVE-2021-25646

This repository contains a functional Go-based exploit for CVE-2021-25646, a remote code execution vulnerability in Apache Druid. The exploit leverages improper input validation in the Druid indexer component to inject arbitrary commands via crafted JSON payloads.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache Druid (versions affected by CVE-2021-25646)
No auth needed
Prerequisites: Network access to the vulnerable Druid server · Druid indexer component exposed
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by gps1949 · remote
https://github.com/gps1949/CVE-2021-25646

This repository contains a functional Python exploit for CVE-2021-25646, which leverages a JavaScript injection vulnerability in Apache Druid to achieve remote code execution (RCE). The exploit sends a crafted HTTP POST request to the Druid sampler endpoint, embedding a malicious JavaScript function that executes arbitrary shell commands via Java's Runtime.exec.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache Druid (versions prior to 0.20.1)
No auth needed
Prerequisites: Network access to the Druid server · Druid sampler endpoint exposed
devstral-2 · analyzed Feb 18, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Litch1, Security Team of Alibaba Cloud, je5442804 · rubypoclinux
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/apache_druid_js_rce.rb

This Metasploit module exploits CVE-2021-25646 in Apache Druid versions prior to 0.20.1, allowing unauthenticated remote command execution via JavaScript code injection in a specially crafted request to the Druid indexer sampler endpoint.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache Druid < 0.20.1
No auth needed
Prerequisites: Network access to the Druid server (default port 8888) · JavaScript execution feature not explicitly disabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Apache Druid - Remote Code Execution
HIGHby pikpikcu

References (16)

Core 16
Core References
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2021/01/29/6

Scores

CVSS v3 8.8
EPSS 0.9394
EPSS Percentile 99.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2023-11-13
InTheWild.io 2024-05-29
Status published
Products (2)
apache/druid < 0.20.0
org.apache.druid/druid 0 - 0.20.1Maven
Published Jan 29, 2021
Tracked Since Feb 18, 2026