CVE-2025-30067: Apache Kylin: The remote code execution via jdbc url
First published: Thu Mar 27 2025(Updated: )
Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Kylin. If an attacker gets access to Kylin's system or project admin permission, the JDBC connection configuration maybe altered to execute arbitrary code from the remote. You are fine as long as the Kylin's system and project admin access is well protected. This issue affects Apache Kylin: from 4.0.0 through 5.0.1. Users are recommended to upgrade to version 5.0.2 or above, which fixes the issue.
Credit: security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache Kylin | ||
| maven/org.apache.kylin:kylin | >=4.0.0<5.0.2 | 5.0.2 |
| Apache Kylin | >=4.0.0<5.0.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://lists.apache.org/thread/6j19pt8yoqfphf1lprtrzoqkvz1gwbnc
- http://www.openwall.com/lists/oss-security/2025/03/27/4
- https://nvd.nist.gov/vuln/detail/CVE-2025-30067
- https://github.com/apache/kylin/commit/21d98f3ef29f71b50dacabbf039905f9f0f71b95
- https://issues.apache.org/jira/browse/KYLIN-5994
- https://github.com/advisories/GHSA-29m8-wh9p-5wc4 (Advisory)
Frequently Asked Questions
What is the severity of CVE-2025-30067?
CVE-2025-30067 has a high severity rating due to its potential for code injection when administrative permissions are compromised.
How do I fix CVE-2025-30067?
To fix CVE-2025-30067, upgrade Apache Kylin to version 5.0.2 or later.
What systems are affected by CVE-2025-30067?
CVE-2025-30067 affects Apache Kylin versions from 4.0.0 to 5.0.1.
What type of vulnerability is CVE-2025-30067?
CVE-2025-30067 is classified as a code injection vulnerability.
What could an attacker do with CVE-2025-30067?
An attacker with system or project admin access could alter JDBC configurations to execute arbitrary remote code.
- collector/oss-sec
- source/oss-sec
- alias/CVE-2025-30067
- agent/first-publish-date
- agent/guess-ai
- agent/software-canonical-lookup
- collector/nvd-cve
- source/NVD
- agent/author
- agent/last-modified-date
- agent/weakness
- agent/title
- agent/severity
- agent/references
- agent/softwarecombine
- agent/type
- agent/description
- agent/trending
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-29m8-wh9p-5wc4
- agent/source
- collector/mitre-cve
- source/MITRE
- collector/epss-latest
- source/FIRST
- agent/epss
- agent/event
- collector/github-advisory
- agent/tags
- collector/nvd-api
- vendor/apache
- canonical/apache kylin
- package-manager/maven
- version/apache kylin/4.0.0