CVE-2025-27017: Apache NiFi: Potential Insertion of MongoDB Password in Provenance Record
First published: Tue Mar 11 2025(Updated: )
Apache NiFi 1.13.0 through 2.2.0 includes the username and password used to authenticate with MongoDB in the NiFi provenance events that MongoDB components generate during processing. An authorized user with read access to the provenance events of those processors may see the credentials information. Upgrading to Apache NiFi 2.3.0 is the recommended mitigation, which removes the credentials from provenance event records.
Credit: security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache NiFi | >=1.13.0<=2.2.0 | |
| maven/org.apache.nifi:nifi-mongodb-services | >=1.13.0<2.3.0 | 2.3.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://lists.apache.org/thread/d4n5474jkhp82dvnht13pjtlfx7bhn5q
- http://www.openwall.com/lists/oss-security/2025/03/11/1
- https://nvd.nist.gov/vuln/detail/CVE-2025-27017
- https://github.com/apache/nifi/commit/48d684500f6ad70f65bfd510db054590c5bc74a9
- https://issues.apache.org/jira/browse/NIFI-14272
- https://github.com/advisories/GHSA-35gq-cvrm-xf94 (Advisory)
Frequently Asked Questions
What is the severity of CVE-2025-27017?
The severity of CVE-2025-27017 is considered high due to the exposure of sensitive MongoDB credentials.
How do I fix CVE-2025-27017?
To fix CVE-2025-27017, upgrade to Apache NiFi version 2.3.0 or later.
What versions of Apache NiFi are affected by CVE-2025-27017?
Apache NiFi versions from 1.13.0 to 2.2.0 are affected by CVE-2025-27017.
Can an unauthorized user exploit CVE-2025-27017?
CVE-2025-27017 requires authorized user access to provenance events, so unauthorized users cannot exploit it directly.
What data is exposed in CVE-2025-27017?
CVE-2025-27017 exposes MongoDB usernames and passwords within NiFi provenance events.
- collector/oss-sec
- source/oss-sec
- alias/CVE-2025-27017
- agent/first-publish-date
- agent/title
- agent/weakness
- agent/type
- agent/description
- agent/guess-ai
- agent/software-canonical-lookup
- collector/nvd-api
- source/NVD
- agent/severity
- agent/author
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-35gq-cvrm-xf94
- agent/last-modified-date
- agent/references
- agent/softwarecombine
- agent/trending
- agent/event
- collector/nvd-cve
- agent/source
- agent/tags
- collector/mitre-cve
- source/MITRE
- collector/epss-latest
- source/FIRST
- agent/epss
- collector/github-advisory
- vendor/apache
- canonical/apache nifi
- package-manager/maven