CVE-2025-27528

CRITICAL LAB

Apache InLong <2.2.0 - Deserialization

Title source: llm

Description

Deserialization of Untrusted Data vulnerability in Apache InLong. This issue affects Apache InLong: from 1.13.0 through 2.1.0. This vulnerability allows attackers to bypass the security mechanisms of InLong JDBC and leads to arbitrary file reading. Users are advised to upgrade to Apache InLong's 2.2.0 or cherry-pick [1] to solve it. [1] https://github.com/apache/inlong/pull/11747

Exploits (1)

github WORKING POC 1 stars

by exploitintel · pythonpoc

https://github.com/exploitintel/eip-pocs-and-cves/tree/main/CVE-2025-27528

View Code ZIP pw:eip

References (3)

[Issue Tracking] https://github.com/apache/inlong/pull/11747

[Vendor Advisory] https://lists.apache.org/thread/b807rqzgyv4qgvxw3nhkq8tl6g90gqgj

[Mailing List, Third Party Advisory] http://www.openwall.com/lists/oss-security/2025/05/28/3

Scores

CVSS v3 9.1

EPSS 0.0015

EPSS Percentile 34.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Lab Environment

Lab screenshot

test

docker pull ghcr.io/exploitintel/cve-2025-27528-test:latest

All Labs GitHub

Classification

CWE

CWE-502

Status published

Affected Products (2)

apache/inlong < 2.2.0

org.apache.inlong/manager-pojo < 2.2.0Maven

Timeline

Published May 28, 2025

Tracked Since Feb 18, 2026