CVE-2025-66524

HIGH LAB

Apache NiFi <2.6.0 - Deserialization

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-66524. PoCs published by exploitintel.

AI-analyzed exploit summary This repository contains a functional exploit PoC for CVE-2025-66524, demonstrating an unsafe Java deserialization vulnerability in Apache NiFi's GetAsanaObject processor. The exploit leverages the NiFi Distributed Map Cache server (port 4557) to inject malicious serialized objects, leading to arbitrary code execution.

Description

Apache NiFi 1.20.0 through 2.6.0 include the GetAsanaObject Processor, which requires integration with a configurable Distribute Map Cache Client Service for storing and retrieving state information. The GetAsanaObject Processor used generic Java Object serialization and deserialization without filtering. Unfiltered Java object deserialization does not provide protection against crafted state information stored in the cache server configured for GetAsanaObject. Exploitation requires an Apache NiFi system running with the GetAsanaObject Processor, and direct access to the configured cache server. Upgrading to Apache NiFi 2.7.0 is the recommended mitigation, which replaces Java Object serialization with JSON serialization. Removing the GetAsanaObject Processor located in the nifi-asana-processors-nar bundle also prevents exploitation.

Exploits (1)

github WORKING POC 1 stars

by exploitintel · pythonpoc

https://github.com/exploitintel/eip-pocs-and-cves/tree/main/CVE-2025-66524

View Code ZIP pw:eip

This repository contains a functional exploit PoC for CVE-2025-66524, demonstrating an unsafe Java deserialization vulnerability in Apache NiFi's GetAsanaObject processor. The exploit leverages the NiFi Distributed Map Cache server (port 4557) to inject malicious serialized objects, leading to arbitrary code execution.

Classification

Working Poc 100%

Attack Type

Deserialization

Complexity

Moderate

Reliability

Reliable

Target: Apache NiFi (1.20.0 through 2.6.0)

No auth needed

Prerequisites: network access to NiFi Distributed Map Cache server (port 4557) · Docker environment for lab setup

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Mar 02, 2026 Full analysis →

References (2)

Core 2

Core References

Mailing List, Issue Tracking, Vendor Advisory vendor-advisory

https://lists.apache.org/thread/k9h004ydjg7opdvxr0nfywtzf33z60d7

Mailing List

http://www.openwall.com/lists/oss-security/2025/12/18/2

Scores

CVSS v3 8.8

EPSS 0.0015

EPSS Percentile 35.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Lab Environment

EIP LAB

Docker Lab

patched docker pull ghcr.io/exploitintel/cve-2025-66524-patched:latest

vulnerable docker pull ghcr.io/exploitintel/cve-2025-66524-vulnerable:latest

View in Library GitHub

Details

CWE

CWE-502

Status published

Products (3)

apache/nifi 2.7.0 rc1 (2 CPE variants)

apache/nifi 1.20.0 - 2.7.0

org.apache.nifi/nifi-asana-processors 1.20.0 - 2.7.0Maven

Published Dec 19, 2025

Tracked Since Feb 18, 2026