CVE-2025-27531

CRITICAL LAB

Apache InLong <2.1.0 - Deserialization

Title source: llm

Description

Deserialization of Untrusted Data vulnerability in Apache InLong. This issue affects Apache InLong: from 1.13.0 before 2.1.0, this issue would allow an authenticated attacker to read arbitrary files by double writing the param. Users are recommended to upgrade to version 2.1.0, which fixes the issue.

Exploits (1)

github WORKING POC 1 stars

by exploitintel · pythonpoc

https://github.com/exploitintel/eip-pocs-and-cves/tree/main/CVE-2025-27531

View Code ZIP pw:eip

References (2)

[Mailing List, Vendor Advisory] https://lists.apache.org/thread/r62lkqrr739wvcb60j6ql6q63rh4bxx5

[Mailing List, Vendor Advisory] http://www.openwall.com/lists/oss-security/2025/02/28/2

Scores

CVSS v3 9.8

EPSS 0.0050

EPSS Percentile 65.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Lab Environment

Lab screenshot

mysql vulnerable

docker pull ghcr.io/exploitintel/cve-2025-27531-vulnerable:latest

All Labs GitHub

Classification

CWE

CWE-502

Status published

Affected Products (2)

apache/inlong < 2.1.0

org.apache.inlong/inlong-manager < 2.1.0Maven

Timeline

Published Jun 06, 2025

Tracked Since Feb 18, 2026