CVE-2025-48459
Apache IoTDB: Deserialization of untrusted Data
描述
### Summary Apache IoTDB deserializes data from external inputs without sufficient validation, allowing attacker-controlled serialized objects to be processed. In environments where a compatible gadget chain is reachable, this can be abused to execute arbitrary code or alter server state; at minimum it enables high-impact integrity and confidentiality compromise on the IoTDB process. ### Affected Apache IoTDB **from 1.0.0 before 2.0.5**. ### Remediation Upgrade to **2.0.5**, which addresses the flaw. If immediate upgrade is not possible, restrict exposure of IoTDB endpoints to trusted networks and disable or sanitize any feature paths that accept serialized payloads. These mitigations are defense-in-depth only; upgrading to 2.0.5 is the definitive fix.
如何修補 CVE-2025-48459
要修補 CVE-2025-48459,請將受影響套件升級到下列已修補版本。
- —升級至 2.0.5 或更新版本
- —升級至 2.0.5 或更新版本
- —升級至 2.0.5 或更新版本
CVE-2025-48459 正在被利用嗎?
低 — EPSS 為 0.6%,目前沒有觀察到大規模利用活動。
受影響套件(3)
- >= 1.0.0, < 2.0.5
- >= 1.0.0, < 2.0.5
- >= 1.0.0, < 2.0.5
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | MEDIUM5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |