{"id":48393,"date":"2025-06-03T07:01:04","date_gmt":"2025-06-03T07:01:04","guid":{"rendered":""},"modified":"2025-07-08T23:21:35","modified_gmt":"2025-07-09T05:21:35","slug":"cve-2025-27528-deserialization-of-untrusted-data-vulnerability-in-apache-inlong","status":"publish","type":"post","link":"https:\/\/www.ameeba.com\/blog\/cve-2025-27528-deserialization-of-untrusted-data-vulnerability-in-apache-inlong\/","title":{"rendered":"<strong>CVE-2025-27528: Deserialization of Untrusted Data Vulnerability in Apache InLong<\/strong>"},"content":{"rendered":"<p><strong>Overview<\/strong><\/p>\n<p>Apache InLong, a widely used data integration tool, has been found to possess a significant security vulnerability identified as CVE-2025-27528. This vulnerability stems from deserialization of untrusted data in Apache InLong which can potentially lead to system compromise or data leakage. The <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2024-52928-severe-bypass-issue-in-arc-on-windows-allows-unauthorized-permissions-grant\/\"  data-wpil-monitor-id=\"65099\">severity of the issue<\/a> is further emphasized by its high CVSS score of 9.1. The vulnerability affects versions from 1.13.0 through 2.1.0 of <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2024-51360-remote-code-execution-vulnerability-in-hospital-management-system-in-php-v4-0\/\"  data-wpil-monitor-id=\"54357\">Apache<\/a> InLong and poses a serious threat to the integrity and security of systems utilizing these versions.<\/p>\n<p><strong>Vulnerability Summary<\/strong><\/p>\n<p>CVE ID: CVE-2025-27528<br \/>\nSeverity: Critical (9.1 CVSS Score)<br \/>\nAttack Vector: Network<br \/>\nPrivileges Required: None<br \/>\nUser Interaction: None<br \/>\nImpact: System compromise or <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-48383-django-select2-vulnerability-risking-data-leakage-and-unauthorized-access\/\"  data-wpil-monitor-id=\"56083\">data leakage<\/a><\/p>\n<p><strong>Affected Products<\/strong><\/p><div id=\"ameeb-3728485410\" class=\"ameeb-content-2 ameeb-entity-placement\"><div style=\"border-left: 4px solid #555; padding-left: 20px; margin: 48px 0; font-family: Roboto, sans-serif; color: #ffffff; line-height: 1.6; max-width: 700px;\">\r\n  <h2 style=\"margin-top: 0; font-size: 20px; font-weight: 600; display: flex; align-items: center;\">\r\n    <a href=\"https:\/\/www.ameeba.com\/chat\" style=\"display: inline-flex; align-items: center; margin-right: 8px;\">\r\n      <img decoding=\"async\" src=\"https:\/\/www.ameeba.com\/blog\/wp-content\/uploads\/2025\/10\/Best-App-icon-Ameeba.png\" alt=\"Ameeba Chat Icon\" style=\"width: 40px; height: 40px;\" \/>\r\n    <\/a>\r\n    A new way to communicate\r\n  <\/h2>\r\n\r\n  <p style=\"margin-bottom: 12px;\">\r\n    Ameeba Chat is built on encrypted identity, not personal profiles.\r\n  <\/p>\r\n\r\n  <p style=\"margin-bottom: 16px;\">\r\n    Message, call, share files, and coordinate with identities kept separate.\r\n  <\/p>\r\n\r\n  <ul style=\"list-style: none; padding-left: 0; margin-bottom: 20px;\">\r\n    <li>\u2022 Encrypted identity<\/li>\r\n    <li>\u2022 Ameeba Chat authenticates access<\/li>\r\n    <li>\u2022 Aliases and categories<\/li>\r\n    <li>\u2022 End-to-end encrypted chat, calls, and files<\/li>\r\n    <li>\u2022 Secure notes for sensitive information<\/li>\r\n  <\/ul>\r\n\r\n  <p style=\"font-style: italic; font-weight: 600; margin-bottom: 24px;\">\r\n    Private communication, rethought.\r\n  <\/p>\r\n\r\n  <div style=\"display: flex; flex-wrap: wrap; gap: 12px;\">\r\n    <a href=\"https:\/\/www.ameeba.com\/chat\/download\" style=\"background-color: #ffffff; color: #000000; padding: 10px 20px; text-decoration: none; border-radius: 6px; font-weight: 500;\">Download Ameeba Chat<\/a>\r\n    <a href=\"https:\/\/www.ameeba.com\/chat\" style=\"border: 1px solid #ffffff; color: #ffffff; padding: 10px 20px; text-decoration: none; border-radius: 6px; font-weight: 500;\">Learn More<\/a>\r\n  <\/div>\r\n<\/div>\r\n<\/div>\n<p>Product | Affected Versions<\/p>\n<p>Apache InLong | 1.13.0 &#8211; 2.1.0<\/p>\n<p><strong>How the Exploit Works<\/strong><\/p>\n<p>The <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-47530-deserialization-of-untrusted-data-vulnerability-in-wpfunnels\/\"  data-wpil-monitor-id=\"54157\">vulnerability arises from the deserialization of untrusted data<\/a> in Apache InLong, specifically affecting the InLong JDBC. An attacker can exploit this by sending specially crafted data that, when deserialized, bypasses security mechanisms and enables <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-5058-arbitrary-file-upload-vulnerability-in-emagicone-store-manager-for-woocommerce-plugin\/\"  data-wpil-monitor-id=\"54667\">arbitrary file<\/a> reading. This could potentially allow an attacker to read sensitive <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-39495-high-critical-vulnerability-in-boldthemes-avantage-leading-to-potential-system-compromise\/\"  data-wpil-monitor-id=\"54186\">data<\/a> or execute malicious code leading to system compromise or data leakage.<\/p>\n<p><strong>Conceptual Example Code<\/strong><\/p><div id=\"ameeb-4149075982\" class=\"ameeb-content ameeb-entity-placement\"><div class=\"poptin-embedded\" data-id=\"f6b387694f681\"><\/div>\r\n\r\n\r\n\r\n\r\n\r\n<\/div>\n<p>Here is a conceptual example of a <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-1277-memory-corruption-vulnerability-in-autodesk-applications-through-malicious-pdf-files\/\"  data-wpil-monitor-id=\"57162\">malicious payload that could be used to exploit this vulnerability<\/a>:<\/p>\n<pre><code class=\"\" data-line=\"\">POST \/inlong\/jdbc HTTP\/1.1\nHost: target.example.com\nContent-Type: application\/octet-stream\n{ &quot;serialized_object&quot;: &quot;base64-encoded-serialized-object&quot; }<\/code><\/pre>\n<p>In the example above, the `serialized_object` field contains a base64-encoded serialized object that, when <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-47532-untrusted-data-deserialization-vulnerability-in-coinpayments-net-payment-gateway-for-woocommerce\/\"  data-wpil-monitor-id=\"54159\">deserialized by the vulnerable<\/a> Apache InLong JDBC, could lead to arbitrary file reading or execution of malicious code.<\/p>\n<p><strong>Mitigation<\/strong><\/p>\n<p><a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-26521-apache-cloudstack-user-account-vulnerability-in-kubernetes-cluster-creation\/\"  data-wpil-monitor-id=\"63115\">Users are strongly advised to upgrade to Apache<\/a> InLong&#8217;s 2.2.0 or cherry-pick the fix from https:\/\/github.com\/apache\/inlong\/pull\/11747 to solve it. As a temporary mitigation, <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-5485-a-critical-vulnerability-pertaining-to-user-name-enumeration-in-web-management-interfaces\/\"  data-wpil-monitor-id=\"63116\">users can also apply a vendor patch or use Web<\/a> Application Firewall (WAF) or Intrusion Detection Systems (IDS). However, these are not long-term solutions and upgrading to a fixed version is strongly recommended.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Overview Apache InLong, a widely used data integration tool, has been found to possess a significant security vulnerability identified as CVE-2025-27528. This vulnerability stems from deserialization of untrusted data in Apache InLong which can potentially lead to system compromise or data leakage. The severity of the issue is further emphasized by its high CVSS score [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"footnotes":""},"categories":[1],"tags":[],"vendor":[103,79],"product":[],"attack_vector":[],"asset_type":[],"severity":[],"exploit_status":[],"class_list":["post-48393","post","type-post","status-publish","format-standard","hentry","category-uncategorized","vendor-apache","vendor-github"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/posts\/48393","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/comments?post=48393"}],"version-history":[{"count":9,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/posts\/48393\/revisions"}],"predecessor-version":[{"id":58552,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/posts\/48393\/revisions\/58552"}],"wp:attachment":[{"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/media?parent=48393"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/categories?post=48393"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/tags?post=48393"},{"taxonomy":"vendor","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/vendor?post=48393"},{"taxonomy":"product","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/product?post=48393"},{"taxonomy":"attack_vector","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/attack_vector?post=48393"},{"taxonomy":"asset_type","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/asset_type?post=48393"},{"taxonomy":"severity","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/severity?post=48393"},{"taxonomy":"exploit_status","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/exploit_status?post=48393"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}