CVE-2021-40865

CRITICAL

Apache Storm <2.2.1, <2.3.0, <1.2.4 - Open Redirect

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-40865. PoCs published by hktalent.

AI-analyzed exploit summary This PoC exploits CVE-2021-40865, a deserialization vulnerability in Apache Storm, by crafting a malicious serialized payload using ysoserial's URLDNS gadget. The payload is sent to a target Storm cluster via a socket connection to trigger a DNS lookup to a controlled domain.

Description

An Unsafe Deserialization vulnerability exists in the worker services of the Apache Storm supervisor server allowing pre-auth Remote Code Execution (RCE). Apache Storm 2.2.x users should upgrade to version 2.2.1 or 2.3.0. Apache Storm 2.1.x users should upgrade to version 2.1.1. Apache Storm 1.x users should upgrade to version 1.2.4

Exploits (1)

nomisec WORKING POC 14 stars
by hktalent · poc
https://github.com/hktalent/CVE-2021-40865

This PoC exploits CVE-2021-40865, a deserialization vulnerability in Apache Storm, by crafting a malicious serialized payload using ysoserial's URLDNS gadget. The payload is sent to a target Storm cluster via a socket connection to trigger a DNS lookup to a controlled domain.

Classification
Working Poc 95%
Attack Type
Deserialization
Complexity
Moderate
Reliability
Reliable
Target: Apache Storm (versions affected by CVE-2021-40865)
No auth needed
Prerequisites: Network access to the target Storm cluster's port (6700) · Apache Storm instance vulnerable to CVE-2021-40865
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Mailing List, Third Party Advisory x_refsource_misc
https://seclists.org/oss-sec/2021/q4/45

Scores

CVSS v3 9.8
EPSS 0.6559
EPSS Percentile 99.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-502
Status published
Products (2)
apache/storm 1.0.0 - 1.2.4
org.apache.storm/storm 2.2.0 - 2.2.1Maven
Published Oct 25, 2021
Tracked Since Feb 18, 2026