CVE-2025-27528

CRITICAL

Apache InLong <2.2.0 - Deserialization

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-27528. PoCs published by exploitintel.

AI-analyzed exploit summary This repository contains functional exploit code demonstrating CVE-2025-27528, a JDBC URL sensitive parameter filter bypass in Apache InLong Manager. The PoC includes multiple scripts to verify the vulnerability, a lab setup with Docker, and detailed technical analysis of the root cause.

Description

Deserialization of Untrusted Data vulnerability in Apache InLong. This issue affects Apache InLong: from 1.13.0 through 2.1.0. This vulnerability allows attackers to bypass the security mechanisms of InLong JDBC and leads to arbitrary file reading. Users are advised to upgrade to Apache InLong's 2.2.0 or cherry-pick [1] to solve it. [1] https://github.com/apache/inlong/pull/11747

Exploits (1)

github WORKING POC 1 stars

by exploitintel · pythonpoc

https://github.com/exploitintel/eip-pocs-and-cves/tree/main/CVE-2025-27528

View Code ZIP pw:eip

This repository contains functional exploit code demonstrating CVE-2025-27528, a JDBC URL sensitive parameter filter bypass in Apache InLong Manager. The PoC includes multiple scripts to verify the vulnerability, a lab setup with Docker, and detailed technical analysis of the root cause.

Classification

Working Poc 100%

Attack Type

Deserialization

Complexity

Moderate

Reliability

Reliable

Target: Apache InLong Manager 1.13.0 through 2.1.0

Auth required

Prerequisites: Docker and Docker Compose · authenticated access to InLong Manager API

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Mar 04, 2026 Full analysis →

References (3)

Core 3

Core References

Mailing List, Third Party Advisory

http://www.openwall.com/lists/oss-security/2025/05/28/3

Vendor Advisory vendor-advisory

https://lists.apache.org/thread/b807rqzgyv4qgvxw3nhkq8tl6g90gqgj

Issue Tracking patch

https://github.com/apache/inlong/pull/11747

Scores

CVSS v3 9.1

EPSS 0.0036

EPSS Percentile 58.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-502

Status published

Products (2)

apache/inlong 1.13.0 - 2.2.0

org.apache.inlong/manager-pojo 1.13.0 - 2.2.0Maven

Published May 28, 2025

Tracked Since Feb 18, 2026