Primary

Context

Apache SeaTunnel Arbitrary File Read and Deserialization Vulnerability

Vulnerability

Patched

A vulnerability in Apache SeaTunnel versions 2.3.1 through 2.3.10 allows unauthorized users to perform arbitrary file read and deserialization attacks by submitting jobs through the RESTful API v1. The issue arises when extra parameters are added to the MySQL URL, enabling access to sensitive files and potentially leading to malicious code execution.

Impact

Exploitation of this vulnerability could result in unauthorized access to files on the server and the possibility of executing malicious code through deserialization.

Remediation

Users are advised to upgrade to Apache SeaTunnel version 2.3.11, and to enable the RESTful API v2 along with HTTPS two-way authentication, which addresses this vulnerability.

Added: Jun 19, 2025, 11:17 AM

Updated: Jun 19, 2025, 11:17 AM

Vulnerability Rating

Custom Algorithm

spread

2.4

impact

3.3

exploitability

4.7

remediation

8.3

relevance

0.2

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

2.4

impact

3.3

exploitability

4.7

remediation

8.3

relevance

0.2

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Apache SeaTunnel Arbitrary File Read and Deserialization Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Apache SeaTunnel

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating