ClickHouse Library Bridge HTTP API Arbitrary Code Execution Vulnerability

A remote code execution vulnerability exists in ClickHouse when the library bridge feature is enabled. The vulnerable component, clickhouse-library-bridge, exposes an HTTP API on localhost that allows clickhouse-server to dynamically load and execute libraries in isolated processes. This vulnerability can be exploited on misconfigured servers that permit file uploads to specific directories, enabling an attacker with access to both table engines to execute arbitrary code on the ClickHouse server.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the ClickHouse server.

Remediation

Users can upgrade to ClickHouse versions 24.3.18.6, 24.8.14.27, 24.11.5.34, 24.12.5.65, or 25.1.5.5. For those maintaining a forked version of ClickHouse, the fix is available in pull request #75954. If an upgrade is not possible, the library bridge can be disabled by commenting out the bridge configuration option.