{"id":48393,"date":"2025-06-03T07:01:04","date_gmt":"2025-06-03T07:01:04","guid":{"rendered":""},"modified":"2025-07-08T23:21:35","modified_gmt":"2025-07-09T05:21:35","slug":"cve-2025-27528-deserialization-of-untrusted-data-vulnerability-in-apache-inlong","status":"publish","type":"post","link":"https:\/\/www.ameeba.com\/blog\/cve-2025-27528-deserialization-of-untrusted-data-vulnerability-in-apache-inlong\/","title":{"rendered":"<strong>CVE-2025-27528: Deserialization of Untrusted Data Vulnerability in Apache InLong<\/strong>"},"content":{"rendered":"<p><strong>Overview<\/strong><\/p>\n<p>Apache InLong, a widely used data integration tool, has been found to possess a significant security vulnerability identified as CVE-2025-27528. This vulnerability stems from deserialization of untrusted data in Apache InLong which can potentially lead to system compromise or data leakage. The <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2024-52928-severe-bypass-issue-in-arc-on-windows-allows-unauthorized-permissions-grant\/\"  data-wpil-monitor-id=\"65099\">severity of the issue<\/a> is further emphasized by its high CVSS score of 9.1. The vulnerability affects versions from 1.13.0 through 2.1.0 of <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2024-51360-remote-code-execution-vulnerability-in-hospital-management-system-in-php-v4-0\/\"  data-wpil-monitor-id=\"54357\">Apache<\/a> InLong and poses a serious threat to the integrity and security of systems utilizing these versions.<\/p>\n<p><strong>Vulnerability Summary<\/strong><\/p>\n<p>CVE ID: CVE-2025-27528<br \/>\nSeverity: Critical (9.1 CVSS Score)<br \/>\nAttack Vector: Network<br \/>\nPrivileges Required: None<br \/>\nUser Interaction: None<br \/>\nImpact: System compromise or <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-48383-django-select2-vulnerability-risking-data-leakage-and-unauthorized-access\/\"  data-wpil-monitor-id=\"56083\">data leakage<\/a><\/p>\n<p><strong>Affected Products<\/strong><\/p><div id=\"ameeb-1808836001\" class=\"ameeb-content-2 ameeb-entity-placement\"><div style=\"border-left: 4px solid #555; padding-left: 20px; margin: 48px 0; font-family: Roboto, sans-serif; color: #ffffff; line-height: 1.6; max-width: 720px;\">\r\n  <h2 style=\"margin-top: 0; font-size: 22px; font-weight: 600; display: flex; align-items: center; letter-spacing: -0.02em;\">\r\n    <a href=\"https:\/\/www.ameeba.com\/chat\" style=\"display: inline-flex; align-items: center; margin-right: 10px;\">\r\n      <img decoding=\"async\" src=\"https:\/\/www.ameeba.com\/blog\/wp-content\/uploads\/2025\/10\/Best-App-icon-Ameeba.png\" alt=\"Ameeba Chat Icon\" style=\"width: 42px; height: 42px;\" \/>\r\n    <\/a>\r\n    Share secrets securely\r\n  <\/h2>\r\n\r\n  <p style=\"margin-bottom: 14px; color: #d1d5db;\">\r\n    Ameeba is private infrastructure for communication and sensitive work built on encrypted identity instead of exposed corporate identity systems.\r\n  <\/p>\r\n\r\n  <p style=\"margin-bottom: 18px; color: #a1a1aa;\">\r\n    Passwords, credentials, confidential files, screenshots, internal discussions, sensitive AI context, and private coordination should not become exposed across ordinary communication platforms.\r\n  <\/p>\r\n\r\n  <ul style=\"list-style: none; padding-left: 0; margin-bottom: 24px; color: #e4e4e7;\">\r\n    <li style=\"margin-bottom: 8px;\">\u2022 Encrypted identity<\/li>\r\n    <li style=\"margin-bottom: 8px;\">\u2022 Private Spaces for organizations and teams<\/li>\r\n    <li style=\"margin-bottom: 8px;\">\u2022 End-to-end encrypted chat, calls, files, and notes<\/li>\r\n    <li style=\"margin-bottom: 8px;\">\u2022 Sensitive AI work and protected collaboration<\/li>\r\n    <li>\u2022 Built for information that cannot leak<\/li>\r\n  <\/ul>\r\n\r\n  <p style=\"font-style: italic; font-weight: 600; margin-bottom: 24px; color: #ffffff;\">\r\n    Our mission is to secure human work alongside AI.\r\n  <\/p>\r\n\r\n  <div style=\"display: flex; flex-wrap: wrap; gap: 12px;\">\r\n    <a href=\"https:\/\/www.ameeba.com\/chat\/download\" style=\"background-color: #ffffff; color: #000000; padding: 10px 20px; text-decoration: none; border-radius: 8px; font-weight: 500;\">\r\n      Download Ameeba\r\n    <\/a>\r\n\r\n    <a href=\"https:\/\/www.ameeba.com\/chat\" style=\"border: 1px solid #ffffff; color: #ffffff; padding: 10px 20px; text-decoration: none; border-radius: 8px; font-weight: 500;\">\r\n      Learn More\r\n    <\/a>\r\n  <\/div>\r\n<\/div><\/div>\n<p>Product | Affected Versions<\/p>\n<p>Apache InLong | 1.13.0 &#8211; 2.1.0<\/p>\n<p><strong>How the Exploit Works<\/strong><\/p>\n<p>The <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-47530-deserialization-of-untrusted-data-vulnerability-in-wpfunnels\/\"  data-wpil-monitor-id=\"54157\">vulnerability arises from the deserialization of untrusted data<\/a> in Apache InLong, specifically affecting the InLong JDBC. An attacker can exploit this by sending specially crafted data that, when deserialized, bypasses security mechanisms and enables <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-5058-arbitrary-file-upload-vulnerability-in-emagicone-store-manager-for-woocommerce-plugin\/\"  data-wpil-monitor-id=\"54667\">arbitrary file<\/a> reading. This could potentially allow an attacker to read sensitive <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-39495-high-critical-vulnerability-in-boldthemes-avantage-leading-to-potential-system-compromise\/\"  data-wpil-monitor-id=\"54186\">data<\/a> or execute malicious code leading to system compromise or data leakage.<\/p>\n<p><strong>Conceptual Example Code<\/strong><\/p><div id=\"ameeb-4019498080\" class=\"ameeb-content ameeb-entity-placement\"><div class=\"poptin-embedded\" data-id=\"f6b387694f681\"><\/div>\r\n\r\n\r\n\r\n\r\n\r\n<\/div>\n<p>Here is a conceptual example of a <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-1277-memory-corruption-vulnerability-in-autodesk-applications-through-malicious-pdf-files\/\"  data-wpil-monitor-id=\"57162\">malicious payload that could be used to exploit this vulnerability<\/a>:<\/p>\n<pre><code class=\"\" data-line=\"\">POST \/inlong\/jdbc HTTP\/1.1\nHost: target.example.com\nContent-Type: application\/octet-stream\n{ &quot;serialized_object&quot;: &quot;base64-encoded-serialized-object&quot; }<\/code><\/pre>\n<p>In the example above, the `serialized_object` field contains a base64-encoded serialized object that, when <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-47532-untrusted-data-deserialization-vulnerability-in-coinpayments-net-payment-gateway-for-woocommerce\/\"  data-wpil-monitor-id=\"54159\">deserialized by the vulnerable<\/a> Apache InLong JDBC, could lead to arbitrary file reading or execution of malicious code.<\/p>\n<p><strong>Mitigation<\/strong><\/p>\n<p><a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-26521-apache-cloudstack-user-account-vulnerability-in-kubernetes-cluster-creation\/\"  data-wpil-monitor-id=\"63115\">Users are strongly advised to upgrade to Apache<\/a> InLong&#8217;s 2.2.0 or cherry-pick the fix from https:\/\/github.com\/apache\/inlong\/pull\/11747 to solve it. As a temporary mitigation, <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-5485-a-critical-vulnerability-pertaining-to-user-name-enumeration-in-web-management-interfaces\/\"  data-wpil-monitor-id=\"63116\">users can also apply a vendor patch or use Web<\/a> Application Firewall (WAF) or Intrusion Detection Systems (IDS). However, these are not long-term solutions and upgrading to a fixed version is strongly recommended.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Overview Apache InLong, a widely used data integration tool, has been found to possess a significant security vulnerability identified as CVE-2025-27528. This vulnerability stems from deserialization of untrusted data in Apache InLong which can potentially lead to system compromise or data leakage. The severity of the issue is further emphasized by its high CVSS score [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"footnotes":""},"categories":[1],"tags":[],"vendor":[103,79],"product":[],"attack_vector":[],"asset_type":[],"severity":[],"exploit_status":[],"class_list":["post-48393","post","type-post","status-publish","format-standard","hentry","category-uncategorized","vendor-apache","vendor-github"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/posts\/48393","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/comments?post=48393"}],"version-history":[{"count":9,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/posts\/48393\/revisions"}],"predecessor-version":[{"id":58552,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/posts\/48393\/revisions\/58552"}],"wp:attachment":[{"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/media?parent=48393"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/categories?post=48393"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/tags?post=48393"},{"taxonomy":"vendor","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/vendor?post=48393"},{"taxonomy":"product","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/product?post=48393"},{"taxonomy":"attack_vector","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/attack_vector?post=48393"},{"taxonomy":"asset_type","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/asset_type?post=48393"},{"taxonomy":"severity","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/severity?post=48393"},{"taxonomy":"exploit_status","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/exploit_status?post=48393"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}