CVE-2025-27528

Deserialization of Untrusted Data vulnerability in Apache InLong.

This issue affects Apache InLong: from 1.13.0 through 2.1.0. 

This
vulnerability allows attackers to bypass the security mechanisms of InLong
JDBC and leads to arbitrary file reading.Users are advised to upgrade to Apache InLong's 2.2.0 or cherry-pick [1] to solve it.

[1]  https://github.com/apache/inlong/pull/11747
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.1 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
apacheCNA
---
---
CVEADP
---
---
CISA-ADPADP
9.1 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 8%
Common Weakness Enumeration
References
https://github.com/apache/inlong/pull/11747
https://lists.apache.org/thread/b807rqzgyv4qgvxw3nhkq8tl6g90gqgj
http://www.openwall.com/lists/oss-security/2025/05/28/3