CVE-2025-24814: Apache Solr: Core-creation with "trusted" configset can use arbitrary untrusted files
First published: Sun Jan 26 2025(Updated: )
Core creation allows users to replace "trusted" configset files with arbitrary configuration Solr instances that (1) use the "FileSystemConfigSetService" component (the default in "standalone" or "user-managed" mode), and (2) are running without authentication and authorization are vulnerable to a sort of privilege escalation wherein individual "trusted" configset files can be ignored in favor of potentially-untrusted replacements available elsewhere on the filesystem. These replacement config files are treated as "trusted" and can use "<lib>" tags to add to Solr's classpath, which an attacker might use to load malicious code as a searchComponent or other plugin. This issue affects all Apache Solr versions up through Solr 9.7. Users can protect against the vulnerability by enabling authentication and authorization on their Solr clusters or switching to SolrCloud (and away from "FileSystemConfigSetService"). Users are also recommended to upgrade to Solr 9.8.0, which mitigates this issue by disabling use of "<lib>" tags by default.
Credit: security@apache.org security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache Solr | <=9.7 | |
| maven/org.apache.solr:solr-core | <9.8.0 | 9.8.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://lists.apache.org/thread/gl291pn8x9f9n52ys5l0pc0b6qtf0qw1
- http://www.openwall.com/lists/oss-security/2025/01/26/1
- https://nvd.nist.gov/vuln/detail/CVE-2025-24814
- https://github.com/apache/solr/commit/f492e24881c5724a1b1baecfc9549e2cb0257525
- https://issues.apache.org/jira/browse/SOLR-16781
- https://github.com/advisories/GHSA-68r2-fwcg-qpm8 (Advisory)
Frequently Asked Questions
What is the severity of CVE-2025-24814?
CVE-2025-24814 is considered a high severity vulnerability due to its potential for unauthorized configuration modifications.
How do I fix CVE-2025-24814?
To fix CVE-2025-24814, upgrade your Apache Solr installation to version 9.8.0 or higher.
What software is affected by CVE-2025-24814?
CVE-2025-24814 affects Apache Solr version 9.7 and earlier versions that use the FileSystemConfigSetService.
Can CVE-2025-24814 be exploited without authentication?
Yes, CVE-2025-24814 can be exploited in environments where Solr is running without authentication and authorization.
What are the implications of CVE-2025-24814?
The implications of CVE-2025-24814 include the risk of an attacker replacing trusted configuration files with malicious ones, potentially compromising the Solr instance.
- collector/oss-sec
- source/oss-sec
- alias/CVE-2025-24814
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/title
- agent/type
- agent/description
- agent/guess-ai
- agent/software-canonical-lookup
- collector/nvd-api
- source/NVD
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-68r2-fwcg-qpm8
- agent/last-modified-date
- agent/references
- agent/softwarecombine
- agent/trending
- agent/event
- collector/nvd-cve
- agent/author
- agent/source
- agent/tags
- collector/epss-latest
- source/FIRST
- agent/epss
- vendor/apache
- canonical/apache solr
- package-manager/maven