CVE-2025-27531

CRITICAL LAB

Apache InLong <2.1.0 - Deserialization

Title source: llm

Description

Deserialization of Untrusted Data vulnerability in Apache InLong. This issue affects Apache InLong: from 1.13.0 before 2.1.0, this issue would allow an authenticated attacker to read arbitrary files by double writing the param. Users are recommended to upgrade to version 2.1.0, which fixes the issue.

Exploits (1)

github WORKING POC 1 stars

by exploitintel · pythonpoc

https://github.com/exploitintel/eip-pocs-and-cves/tree/main/CVE-2025-27531

View Code ZIP pw:eip

References (2)

[Mailing List, Vendor Advisory] https://lists.apache.org/thread/r62lkqrr739wvcb60j6ql6q63rh4bxx5

[Mailing List, Vendor Advisory] http://www.openwall.com/lists/oss-security/2025/02/28/2

Scores

CVSS v3 9.8

EPSS 0.0050

EPSS Percentile 65.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Lab Environment

EIP LAB

Lab screenshot

vulnerable docker pull ghcr.io/exploitintel/cve-2025-27531-vulnerable:latest

View in Library GitHub

Details

CWE

CWE-502

Status published

Products (2)

apache/inlong 1.13.0 - 2.1.0

org.apache.inlong/inlong-manager 1.13.0 - 2.1.0Maven

Published Jun 06, 2025

Tracked Since Feb 18, 2026