CVE-2021-44521

CRITICAL NUCLEI LAB

Apache Cassandra 3.0.0-3.0.25 - Authenticated Remote Code Execution via User Defined Functions

Title source: llm

Exploitation Summary

EIP tracks 3 public exploits for CVE-2021-44521. PoCs published by Yeyvo. A Nuclei detection template is also available.

AI-analyzed exploit summary This PoC exploits CVE-2021-44521, a remote code execution vulnerability in Apache Cassandra via user-defined functions (UDFs). It leverages JavaScript UDFs to bypass security restrictions and execute arbitrary commands on the target system.

Description

When running Apache Cassandra with the following configuration: enable_user_defined_functions: true enable_scripted_user_defined_functions: true enable_user_defined_functions_threads: false it is possible for an attacker to execute arbitrary code on the host. The attacker would need to have enough permissions to create user defined functions in the cluster to be able to exploit this. Note that this configuration is documented as unsafe, and will continue to be considered unsafe after this CVE.

Exploits (3)

nomisec WORKING POC 1 stars

by Yeyvo · poc

https://github.com/Yeyvo/poc-CVE-2021-44521

View Code ZIP pw:eip

This PoC exploits CVE-2021-44521, a remote code execution vulnerability in Apache Cassandra via user-defined functions (UDFs). It leverages JavaScript UDFs to bypass security restrictions and execute arbitrary commands on the target system.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Apache Cassandra (versions affected by CVE-2021-44521)

No auth needed

Prerequisites: Network access to Cassandra instance · Cassandra-driver Python library installed

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

inthewild WORKING POC

poc

https://github.com/woodenklaas/cve-2021-44521

View Code ZIP pw:eip

This repository contains a functional Python exploit for CVE-2021-44521, which leverages Apache Cassandra's user-defined functions (UDFs) to achieve remote code execution (RCE) via JavaScript injection. The PoC creates a malicious UDF that disables the Java Security Manager and executes arbitrary commands via Runtime.exec().

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Apache Cassandra (versions affected by CVE-2021-44521)

Auth required

Prerequisites: Cassandra instance with UDFs enabled · Network access to the Cassandra server · Valid credentials or unauthenticated access if misconfigured

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 23, 2026 Full analysis →

inthewild WORKING POC

poc

https://github.com/qhpix/cve-2021-44521

View Code ZIP pw:eip

This repository contains a functional Python exploit for CVE-2021-44521, which leverages Apache Cassandra's user-defined functions (UDFs) to achieve remote code execution (RCE) via JavaScript injection. The PoC creates a malicious UDF that bypasses security restrictions and executes arbitrary commands on the target system.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Apache Cassandra (versions affected by CVE-2021-44521)

No auth needed

Prerequisites: Cassandra instance accessible · Cassandra-driver Python library installed · At least one row in a table (exploit checks for this)

MITRE ATT&CK