CVE-2024-51775 — Apache Zeppelin: Missing Origin Validation in WebSockets vulnerability

Description

Missing Origin Validation in WebSockets vulnerability in Apache Zeppelin. The attacker could access the Zeppelin server from another origin without any restriction, and get internal information about paragraphs. This issue affects Apache Zeppelin: from 0.11.1 before 0.12.0. Users are recommended to upgrade to version 0.12.0, which fixes the issue.

How to fix CVE-2024-51775

To remediate CVE-2024-51775, upgrade the affected package to a fixed version below.

Maven/org.apache.zeppelin:zeppelin-shell—upgrade to 0.12.0 or later

Is CVE-2024-51775 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 0.11.1, < 0.12.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-51775
PATCHgithub.com/apache/zeppelin
WEBgithub.com/apache/zeppelin/pull/4823
WEBwww.openwall.com/lists/oss-security/2025/08/03/5