Apache IoTDB Vulnerable to Remote Code Execution

GHSA-f4rq-f4j9-f6rm · CVE-2024-24780 · PYSEC-2025-59

Published May 14, 2025 · Modified Jul 2, 2025

Description

Remote Code Execution with untrusted URI of UDF vulnerability in Apache IoTDB. The attacker who has privilege to create UDF can register malicious function from untrusted URI.

This issue affects Apache IoTDB: from 1.0.0 before 1.3.4.

Users are recommended to upgrade to version 1.3.4, which fixes the issue.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2024-24780
WEB https://github.com/apache/iotdb/pull/14365
PACKAGE https://github.com/apache/iotdb
WEB https://github.com/pypa/advisory-database/tree/main/vulns/apache-iotdb/PYSEC-2025-59.yaml
WEB https://lists.apache.org/thread/xphtm98v3zsk9vlpfh481m1ry2ctxvmj
WEB http://www.openwall.com/lists/oss-security/2025/05/14/2

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes