CVE-2025-27531 | Deserialization of Untrusted Data vulnerability in Apache In… | CVSS 9.8 CRITICAL

Description

Deserialization of Untrusted Data vulnerability in Apache InLong. This issue affects Apache InLong: from 1.13.0 before 2.1.0, this issue would allow an authenticated attacker to read arbitrary files by double writing the param. Users are recommended to upgrade to version 2.1.0, which fixes the issue.

Metadata

CVE ID: CVE-2025-27531
State: PUBLISHED
Assigner: apache
Reserved: 2025-02-28 03:26 UTC
Published: 2025-06-06 14:55 UTC
Last updated: 2025-06-10 15:30 UTC
Primary CWE: CWE-502
CWE-502 Deserialization of Untrusted Data
Vendor / Product: Apache Software Foundation / Apache InLong
Sources: cve.org · NVD

Severity & Metrics

9.8 CRITICAL CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

SSVC — CISA Coordinator

Exploitation: none
Automatable: yes
Tech. Impact: total

Affected products (1)

Vendor	Product	Platform	Versions
Apache Software Foundation	Apache InLong	—	1.13.0 < 2.1.0

Weakness (CWE)

CWE	Source	Description
CWE-502	cna	CWE-502 Deserialization of Untrusted Data

CVSS scores (1)

Score	Severity	Version	Source	Vector
9.8	CRITICAL	3.1	adp	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (1)

https://lists.apache.org/thread/r62lkqrr739wvcb60j6ql6q63rh4bxx5