CVE-2025-66524

HIGH LAB

Apache NiFi <2.6.0 - Deserialization

Title source: llm

Description

Apache NiFi 1.20.0 through 2.6.0 include the GetAsanaObject Processor, which requires integration with a configurable Distribute Map Cache Client Service for storing and retrieving state information. The GetAsanaObject Processor used generic Java Object serialization and deserialization without filtering. Unfiltered Java object deserialization does not provide protection against crafted state information stored in the cache server configured for GetAsanaObject. Exploitation requires an Apache NiFi system running with the GetAsanaObject Processor, and direct access to the configured cache server. Upgrading to Apache NiFi 2.7.0 is the recommended mitigation, which replaces Java Object serialization with JSON serialization. Removing the GetAsanaObject Processor located in the nifi-asana-processors-nar bundle also prevents exploitation.

Exploits (1)

github WORKING POC 1 stars

by exploitintel · pythonpoc

https://github.com/exploitintel/eip-pocs-and-cves/tree/main/CVE-2025-66524

View Code ZIP pw:eip

References (2)

[Mailing List, Issue Tracking, Vendor Advisory] https://lists.apache.org/thread/k9h004ydjg7opdvxr0nfywtzf33z60d7

[Mailing List] http://www.openwall.com/lists/oss-security/2025/12/18/2

Scores

CVSS v3 8.8

EPSS 0.0024

EPSS Percentile 47.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Lab Environment

EIP LAB

Docker Lab

patched docker pull ghcr.io/exploitintel/cve-2025-66524-patched:latest

vulnerable docker pull ghcr.io/exploitintel/cve-2025-66524-vulnerable:latest

View in Library GitHub

Details

CWE

CWE-502

Status published

Products (3)

apache/nifi 2.7.0 rc1 (2 CPE variants)

apache/nifi 1.20.0 - 2.7.0

org.apache.nifi/nifi-asana-processors 1.20.0 - 2.7.0Maven

Published Dec 19, 2025

Tracked Since Feb 18, 2026