What is the severity of CVE-2025-2298?

CVE-2025-2298 is categorized as a high severity vulnerability due to the potential for unauthorized deletion of sensitive files.

How can I mitigate CVE-2025-2298?

To mitigate CVE-2025-2298, users should update Dremio software to the latest version that is not affected by this vulnerability.

What impact does CVE-2025-2298 have on impacted systems?

CVE-2025-2298 allows authenticated users to delete arbitrary files, which can compromise the integrity and availability of critical system and user data.

Is my system affected by CVE-2025-2298?

Systems running Dremio versions prior to 24.3.16 and certain versions of 25.x are affected by CVE-2025-2298.

Who is responsible for fixing CVE-2025-2298?

The responsibility for addressing CVE-2025-2298 lies with the administrators of Dremio installations, who must apply necessary updates and patches.

Vulnerability/
CVE-2025-2298

high

8.4

CWE

862

21/4/2025

23/4/2025

CVE-2025-2298: Authenticated API Endpoint Allows Arbitrary File Deletion in Dremio Software

First published: Mon Apr 21 2025(Updated: )

An improper authorization vulnerability in Dremio Software allows authenticated users to delete arbitrary files that the system has access to, including system files and files stored in remote locations such as S3, Azure Blob Storage, and local filesystems. This vulnerability exists due to insufficient access controls on an API endpoint, enabling any authenticated user to specify and delete files outside their intended scope. Exploiting this flaw could lead to data loss, denial of service (DoS), and potential escalation of impact depending on the deleted files. Affected versions: * Any version of Dremio below 24.0.0 * Dremio 24.3.0 - 24.3.16 * Dremio 25.0.0 - 25.0.14 * Dremio 25.1.0 - 25.1.7 * Dremio 25.2.0 - 25.2.4 Fixed in version: * Dremio 24.3.17 and above * Dremio 25.0.15 and above * Dremio 25.1.8 and above * Dremio 25.2.5 and above * Dremio 26.0.0 and above

Credit: 05b98450-cf83-4905-9546-e47a66a8fec2

Affected Software	Affected Version	How to fix
Dremio	<24.0.0>=24.3.0<=24.3.16>=25.0.0<=25.0.14>=25.1.0<=25.1.7>=25.2.0<=25.2.4

Never miss a vulnerability like this again

Reference Links

https://docs.dremio.com/current/reference/bulletins/2025-04-21-01/

Frequently Asked Questions

What is the severity of CVE-2025-2298?
CVE-2025-2298 is categorized as a high severity vulnerability due to the potential for unauthorized deletion of sensitive files.
How can I mitigate CVE-2025-2298?
To mitigate CVE-2025-2298, users should update Dremio software to the latest version that is not affected by this vulnerability.
What impact does CVE-2025-2298 have on impacted systems?
CVE-2025-2298 allows authenticated users to delete arbitrary files, which can compromise the integrity and availability of critical system and user data.
Is my system affected by CVE-2025-2298?
Systems running Dremio versions prior to 24.3.16 and certain versions of 25.x are affected by CVE-2025-2298.
Who is responsible for fixing CVE-2025-2298?
The responsibility for addressing CVE-2025-2298 lies with the administrators of Dremio installations, who must apply necessary updates and patches.

collector/mitre-cve
source/MITRE
agent/references
agent/weakness
agent/title
agent/type
agent/description
agent/first-publish-date
agent/guess-ai
agent/software-canonical-lookup
agent/softwarecombine
collector/nvd-api
source/NVD
agent/author
agent/last-modified-date
agent/source
agent/severity
agent/tags
agent/event
vendor/dremio
canonical/dremio

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.