CVE-2025-27528

CRITICAL LAB

Apache InLong <2.2.0 - Deserialization

Title source: llm

Description

Deserialization of Untrusted Data vulnerability in Apache InLong. This issue affects Apache InLong: from 1.13.0 through 2.1.0. This vulnerability allows attackers to bypass the security mechanisms of InLong JDBC and leads to arbitrary file reading. Users are advised to upgrade to Apache InLong's 2.2.0 or cherry-pick [1] to solve it. [1] https://github.com/apache/inlong/pull/11747

Exploits (1)

github WORKING POC 1 stars

by exploitintel · pythonpoc

https://github.com/exploitintel/eip-pocs-and-cves/tree/main/CVE-2025-27528

View Code ZIP pw:eip

References (3)

[Issue Tracking] https://github.com/apache/inlong/pull/11747

[Vendor Advisory] https://lists.apache.org/thread/b807rqzgyv4qgvxw3nhkq8tl6g90gqgj

[Mailing List, Third Party Advisory] http://www.openwall.com/lists/oss-security/2025/05/28/3

Scores

CVSS v3 9.1

EPSS 0.0036

EPSS Percentile 58.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Lab Environment

COMMUNITY

Community Lab

docker pull inlong/manager:2.1.0

https://github.com/exploitintel/eip-pocs-and-cves

View in Library

Details

CWE

CWE-502

Status published

Products (2)

apache/inlong 1.13.0 - 2.2.0

org.apache.inlong/manager-pojo 1.13.0 - 2.2.0Maven

Published May 28, 2025

Tracked Since Feb 18, 2026