A newly disclosed vulnerability, tracked as CVE-2025-27522, has been identified in Apache InLong, a popular real-time data streaming platform. The flaw, present in versions 1.13.0
through 2.1.0, stems from unsafe deserialization of untrusted data during JDBC verification. This could enable attackers to execute remote code or manipulate files without user interaction.
Discovered by security researchers yulate and m4x, the vulnerability is linked to a prior issue, CVE-2024-26579, and was publicly detailed on May 28 via Apache’s developer mailing list. Apache has classified it as moderate in severity, with a CVSS v3.1 score ranging from 5.3 to 6.5, but warns of its significant exploitation potential in production environments.
The issue was addressed through GitHub Pull Request #11732, which was merged in February. Users are urged to upgrade to Apache InLong version 2.2.0 or apply the patch to prevent exploitation. As of now, there is no known public proof-of-concept or active exploitation, but the flaw remains network-accessible and poses a serious risk due to its nature.
Security teams should prioritize upgrading, restrict serialized data sources, enforce input validation, and monitor for suspicious activity. This incident underscores the dangers of deserialization vulnerabilities and the importance of secure coding practices in data-centric platforms.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
