Primary

Context

Apache EventMesh Hessian Deserialization Vulnerability in eventmesh-meta-raft Plugin Allowing Remote Code Execution

Vulnerability

Patched

A deserialization vulnerability has been identified in the eventmesh-meta-raft plugin of Apache EventMesh, specifically in the master branch without a released version. This vulnerability is present on Windows, Linux, and macOS platforms. It allows attackers to send controlled messages that can be executed remotely, exploiting Hessian deserialization through the RPC protocol.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where Apache EventMesh is running.

Remediation

Users can upgrade to Apache EventMesh version 1.11.0-release or use the code available in the master branch of the project repository to address this vulnerability.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.3

impact

10.0

exploitability

7.0

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.3

impact

10.0

exploitability

7.0

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Apache EventMesh Hessian Deserialization Vulnerability in eventmesh-meta-raft Plugin Allowing Remote Code Execution

Vulnerability

Impact

Remediation

Affected Products

Apache EventMesh

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating