CVE-2025-61734

HIGH

Apache Kylin <5.0.2 - Info Disclosure

Title source: llm

Description

Files or Directories Accessible to External Parties vulnerability in Apache Kylin. You are fine as long as the Kylin's system and project admin access is well protected. This issue affects Apache Kylin: from 4.0.0 through 5.0.2. Users are recommended to upgrade to version 5.0.3, which fixes the issue.

References (2)

[Issue Tracking, Vendor Advisory] https://lists.apache.org/thread/z705g7sn3g0bkchlqbo1hz1tyqorn4d2

[Mailing List] http://www.openwall.com/lists/oss-security/2025/09/30/8

Scores

CVSS v3 7.5

EPSS 0.0006

EPSS Percentile 18.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Classification

CWE

CWE-552

Status published

Affected Products (8)

apache/kylin < 5.0.3

org.apache.kylin/kylin < 5.0.3Maven

org.apache.kylin/kylin-common-server < 5.0.3Maven

org.apache.kylin/kylin-common-service < 5.0.3Maven

org.apache.kylin/kylin-core-common < 5.0.3Maven

org.apache.kylin/kylin-core-metadata < 5.0.3Maven

org.apache.kylin/kylin-ops-server < 5.0.3Maven

org.apache.kylin/kylin-server < 5.0.3Maven

Timeline

Published Oct 02, 2025

Tracked Since Feb 18, 2026