CVE-2025-61735

HIGH

Apache Kylin < 5.0.3 - SSRF

Title source: rule

Description

Server-Side Request Forgery (SSRF) vulnerability in Apache Kylin. This issue affects Apache Kylin: from 4.0.0 through 5.0.2. You are fine as long as the Kylin's system and project admin access is well protected. Users are recommended to upgrade to version 5.0.3, which fixes the issue.

References (2)

[Issue Tracking, Vendor Advisory] https://lists.apache.org/thread/yscobmx869zvprsykb94r24jtmb58ckh

[Mailing List] http://www.openwall.com/lists/oss-security/2025/09/30/9

Scores

CVSS v3 7.3

EPSS 0.0006

EPSS Percentile 20.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Classification

CWE

CWE-918

Status published

Affected Products (8)

apache/kylin < 5.0.3

org.apache.kylin/kylin < 5.0.3Maven

org.apache.kylin/kylin-common-server < 5.0.3Maven

org.apache.kylin/kylin-common-service < 5.0.3Maven

org.apache.kylin/kylin-core-common < 5.0.3Maven

org.apache.kylin/kylin-core-metadata < 5.0.3Maven

org.apache.kylin/kylin-ops-server < 5.0.3Maven

org.apache.kylin/kylin-server < 5.0.3Maven

Timeline

Published Oct 02, 2025

Tracked Since Feb 18, 2026