CVE-2025-58337 — Apache Doris-MCP-Server: Improper Access Control results in bypassing a "read-on

Description

An attacker with a valid read-only account can bypass Doris MCP Server’s read-only mode due to improper access control, allowing modifications that should have been prevented by read-only restrictions. Impact: Bypasses read-only mode; attackers with read-only access may perform unauthorized modifications. Recommended action for operators: Upgrade to version 0.6.0 as soon as possible (this release contains the fix).

How to fix CVE-2025-58337

To remediate CVE-2025-58337, upgrade the affected package to a fixed version below.

—upgrade to 0.6.0 or later

Is CVE-2025-58337 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 0.6.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-58337
PATCHgithub.com/apache/doris-mcp-server
WEBgithub.com/apache/doris-mcp-server/commit/5923cc1c8973069a6d54eca1948a10488cbf409e
WEBlists.apache.org/thread/6tswlphj0pqn9zf25594r3c1vzvfj40h