Apache ActiveMQ Vulnerability CVE-2026-34197 Exploited in the Wild
CVE-2026-34197, an Apache ActiveMQ flaw
Continue ReadingApache
Apache Tomcat Vulnerabilities Expose Systems to DoS & Authentication Bypass
Security Advisory; Summary
Multiple vulnerabilities have been identified in Apache Tomcat affecting various versions and critical security updates provided to address four newly discovered vulnerabilities in Apache Tomcat. The disclosed Apache Tomcat vulnerabilities pose serious threats, especially in high-availability or internet-exposed environments.
Apache Tomcat is one of the world’s most widely used open-source Java servlet containers.
| OEM | Apache |
| Severity | High |
| CVSS Score | 8.4 |
| CVEs | CVE-2025-48976, CVE-2025-48988, CVE-2025-49125, CVE-2025-49124 |
| Actively Exploited | No |
| Exploited in Wild | No |
| Advisory Version | 1.0 |
Overview
The affected versions 9.0.x, 10.1.x and 11.0.x, also include high-impact denial-of-service (DoS) vulnerabilities and a moderate authentication bypass flaw as well as a Windows installer issue that may allow privilege escalation via side-loading.
Timely patching is essential to prevent potential service disruptions and unauthorized access.
| Vulnerability Name | CVE ID | Product Affected | Severity |
| Memory Exhaustion via Multipart Header Exploitation | CVE-2025-48976 | Apache Tomcat | High |
| Multipart Upload Resource Exhaustion | CVE-2025-48988 | Apache Tomcat | High |
| Security Constraint Bypass (Pre/PostResources) | CVE-2025-49125 | Apache Tomcat | High |
| Windows Installer Side-Loading Risk | CVE-2025-49124 | Apache Tomcat | High |
Technical Summary
The vulnerabilities affect Tomcat’s handling of multipart HTTP requests, resource mounting and Windows installation process. Exploitation may result in denial-of-service (via memory exhaustion), privilege escalation (via installer abuse) and authentication bypass.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-48976 | Apache Tomcat 9.0.0.M1–9.0.105, 10.1.0-M1–10.1.41, 11.0.0-M1–11.0.7 | Fixed memory allocation limit in multipart header processing could be exploited to consume memory and cause DoS. | Denial-of-service attack. |
| CVE-2025-48988 | Apache Tomcat 9.0.0.M1–9.0.105, 10.1.0-M1–10.1.41, 11.0.0-M1–11.0.7 | Multipart request body with many parts can trigger high memory usage due to improper limit handling between parameters and parts. | Denial-of-service attack. |
| CVE-2025-49125 | Tomcat with Pre/Post Resources enabled | Lack of resource path normalization allows attackers to access resources outside root bypassing auth controls. | Authentication and Authorization Bypass. |
| CVE-2025-49124 | Tomcat Windows Installers | Installer invoked icacls.exe without full path, making it vulnerable to side-loading attacks via PATH manipulation. | Privilege Escalation. |
Remediation:
Update Immediately: Users of the affected versions should apply one of the following mitigations.
- Upgrade to Apache Tomcat 11.0.8 or later
- Upgrade to Apache Tomcat 10.1.42 or later
- Upgrade to Apache Tomcat 9.0.106 or later
Conclusion:
Attackers could exploit these flaws to cause denial-of-service, escalate privileges or bypass authentication and authorization controls.
The Apache Software Foundation credits the TERASOLUNA Framework Security Team of NTT DATA Group Corporation and T. Doğa Gelişli for identifying these issues.
Tomcat is widely used in enterprise and cloud environments, prompt patching is essential to prevent potential exploitation, service outages, or unauthorized access.
References:
- https://lists.apache.org/thread/0jwb3d3sjyfk5m6xnnj7h9m7ngxz23db
Apache Parquet Java Vulnerability Enables Remote Code Execution via Avro Schema
Summary Security Advisory:
A high-severity remote code execution (RCE) has been identified in Apache Parquet Java, specifically within the parquet-avro module. Discovered by Apache contributor Gang Wu, this vulnerability affects all versions up to and including 1.15.1 and can allow attackers to execute arbitrary code when a system processes a specially crafted Parquet file. The issue is fixed in version 1.15.2.
| OEM | Apache |
| Severity | High |
| CVSS Score | Not Available |
| CVEs | CVE-2025-46762 |
| Actively Exploited | No |
| Exploited in Wild | No |
| Advisory Version | 1.0 |
Overview
Apache Parquet is an open-source, columnar storage format designed for efficient data processing, widely used by big data platforms and organizations engaged in data engineering and analytics.
| Vulnerability Name | CVE ID | Product Affected | Severity | Fixed Version |
| Remote Code Execution vulnerability | CVE-2025-46762 | Apache Parquet Java | High | 1.15.2 |
Technical Summary
CVE-2025-46762 arises from insecure schema parsing logic in the parquet-avro module of Apache Parquet Java. When the application uses the “specific” or “reflect” Avro data models to read a Parquet file, malicious actors can inject specially crafted metadata into the Avro schema portion of the file.
Upon deserialization, the system may inadvertently execute code from Java classes listed in the default trusted packages (e.g., java.util), resulting in remote code execution. The vulnerability is not present when using the safer “generic” Avro model.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-46762 | Apache Parquet Java ≤1.15.1 | Insecure deserialization in the parquet-avro module allows execution of arbitrary Java classes when processing Parquet files with embedded malicious Avro schemas. The issue is exploitable only when using the “specific” or “reflect” data models, and relies on the presence of pre-approved trusted packages like java.util. | Remote Code Execution (RCE), potential supply chain compromise, unauthorized code execution. |
Conditions for Exploitation:
- Applications must use parquet-avro to read Parquet files.
- The Avro “specific” or “reflect” deserialization models are used (not “generic”).
- Attacker-supplied or untrusted Parquet files are processed by the system.
This creates significant risk in data processing environments such as Apache Spark, Flink, and Hadoop, where external Parquet files are commonly ingested.
Remediation:
- Upgrade to Apache Parquet Java version 1.15.2: This version addresses the vulnerability by tightening controls around trusted packages and blocking unsafe deserialization.
- For users unable to upgrade immediately: apply the following JVM system property to disable trusted package deserialization:
-Dorg.apache.parquet.avro.SERIALIZABLE_PACKAGES=””
Conclusion:
CVE-2025-46762 presents a significant RCE threat within big data ecosystems that use Apache Parquet Java with the parquet-avro module. Systems relying on unsafe deserialization patterns are especially at risk. Prompt patching or configuration hardening is strongly recommended to safeguard against exploitation.
References:
Critical Session Management Vulnerability in Apache Roller
Summary Security Advisory
Apache Roller, a widely used Java-based blogging platform, enabling users to create, manage, and publish blog content. It supports features like user authentication, content management, and customizable themes.
| OEM | Apache |
| Severity | Critical |
| CVSS Score | 10.0 |
| CVEs | CVE-2025-24859 |
| Actively Exploited | No |
| Exploited in Wild | No |
| Advisory Version | 1.0 |
A critical security vulnerability (CVE-2025-24859) has been discovered in Apache Roller (versions 1.0.0 to 6.1.4), where old sessions are not invalidated after a password change, allowing attackers to maintain unauthorized access if they have stolen a session token. This flaw poses a significant risk of session hijacking and unauthorized access, and users are advised to upgrade to version 6.1.5 to mitigate the issue.
| Vulnerability Name | CVE ID | Product Affected | Severity |
| Insufficient Session Expiration on Password Change | CVE-2025-24859 | Apache Roller | Critical |
Technical Summary
The vulnerability centers on insufficient session expiration.
When a user or administrator changes a password, Apache Roller versions before 6.1.5 do not properly invalidate existing sessions.
As a result, any session tokens before the password change remain valid.
This means that if an attacker has already compromised a user’s credentials and established a session, they can continue to access the application even after the password is updated, effectively bypassing a key security control.
This can be a big security threat, particularly in systems used by many users or administrators, where it’s important to keep sessions secure.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-24859 | Apache Roller 1.0.0 – 6.1.4 | Sessions are not invalidated after password change, allowing persistent access through old sessions if compromised. | Unauthorized Access / Session Hijacking |
Remediation:
- Apply Patches Promptly: Upgrade immediately to Apache Roller version 6.1.5, which implements proper centralized session invalidation.
Conclusion:
CVE-2025-24859 represents a critical access control threat to Apache Roller implementations.
Although no active exploitation has been observed still now, it’s easy for attackers to misuse sessions if they gain access. Its important for organizations using Apache Roller to quickly update to version 6.1.5 to fix this problem.
This is a critical step in maintaining the security of blog sites and protecting user data.
CVE-2025-24859 highlights the importance of robust session management in web applications.
References:
Apache NiFi Security Flaw Exposes MongoDB Credentials
Security Advisory
A security vulnerability, CVE-2025-27017, has been identified in Apache NiFi.
These events retain usernames/passwords used for MongoDB authentication, violating credential isolation principles.
| OEM | Apache |
| Severity | Medium |
| CVSS | 6.9 |
| CVEs | CVE-2025-27017 |
| Exploited in Wild | No |
| Patch/Remediation Available | Yes |
| Advisory Version | 1.0 |
Overview
A widely used data flow automation tool which allows unauthorized access to MongoDB credentials stored in provenance events. The Versions are affected from v1.13.0 to v2.2.0. In v2.3.0 the issue has been addressed.
| Vulnerability Name | CVE ID | Product Affected | Severity |
| Apache NiFi Credential Exposure | CVE-2025-27017 | Apache NiFi | Medium |
Technical Summary
The vulnerability stems from Apache NiFi’s inclusion of MongoDB usernames and passwords in provenance event records.
Any authorized user with read access to these records can extract credentials information, leading to potential unauthorized access to MongoDB databases.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-27017 | Apache NiFi 1.13.0 – 2.2.0 | MongoDB credentials are stored in provenance events, allowing unauthorized extraction by users with read access. | Unauthorized access to MongoDB databases, potential data breaches. |
Remediation:
- Upgrade to Apache NiFi 2.3.0: The latest version removes credentials from provenance events, mitigating the vulnerability.
General Recommendations:
- Restrict access to provenance data: Ensure only authorized personnel can view provenance records.
- Rotate MongoDB credentials: If affected versions were in use, change database credentials to prevent unauthorized access.
- Conduct security audits: Regularly review system logs and access controls to identify any unauthorized access attempts.
Conclusion:
This vulnerability poses a risk to organizations using Apache NiFi for data processing workflows involving MongoDB. Immediate action is recommended to upgrade to version 2.3.0 or later, restrict access to provenance data, and rotate credentials to mitigate any potential exposure. Organizations should implement stringent security measures to protect against similar vulnerabilities in the future.
This security flaw is particularly concerning because provenance events play a crucial role in auditing and monitoring data flows within NiFi. If left unpatched, this vulnerability could result in data breaches, unauthorized modifications, or even complete database compromise.
References:
Critical Apache Tomcat Vulnerabilities Allow RCE & DoS
Summary
| OEM | Apache |
| Severity | Critical |
| CVSS | 9.8 |
| CVEs | CVE-2024-50379, CVE-2024-54677 |
| Exploited in Wild | Yes |
| Patch/Remediation Available | Yes |
| Advisory Version | 1.0 |
Overview
Recent vulnerabilities in Apache Tomcat, identified as CVE-2024-50379 and CVE-2024-54677, present significant security threats, including remote code execution (RCE) and denial-of-service (DoS) risks. CVE-2024-50379 exploits a race condition during JSP compilation on case-insensitive file systems, enabling attackers to run arbitrary code. CVE-2024-54677 takes advantage of unlimited file uploads in example applications to trigger resource exhaustion.
| Vulnerability Name | CVE ID | Product Affected | Severity | Affected Version |
| Race Condition Vulnerability | CVE-2024-50379 | Apache | Critical | Apache Tomcat 11.0.0-M1 to 11.0.1 Apache Tomcat 10.1.0-M1 to 10.1.33 Apache Tomcat 9.0.0.M1 to 9.0.97 |
| Uncontrolled Resource Consumption Vulnerability | CVE-2024-54677 | Apache | Medium | Apache Tomcat 11.0.0-M1 to 11.0.1 Apache Tomcat 10.1.0-M1 to 10.1.33 Apache Tomcat 9.0.0.M1 to 9.0.97 |
Technical Summary
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2024-50379 | Apache Tomcat | A race condition during JSP compilation in Apache Tomcat allows attackers to upload malicious JSP files, leading to remote code execution. This occurs when the default servlet is configured with write permissions on a case-insensitive file system. | Remote Code Execution |
| CVE-2024-54677 | Apache Tomcat | The examples web application in Apache Tomcat does not limit the size of uploaded data, enabling attackers to cause an OutOfMemoryError by uploading excessive amounts of data, leading to a denial of service. | Denial of Service |
Remediation:
- Upgrade Apache Tomcat to the latest fixed versions:
- Apache Tomcat 11.0.2 or latest
- Apache Tomcat 10.1.34 or latest
- Apache Tomcat 9.0.98 or latest
Recommendations:
- Configuration Hardening:
- Restrict write permissions for the default servlet to prevent unauthorized JSP file uploads.
- Remove or disable example applications to reduce exposure to potential attacks.
- Monitor and Audit:
- Regularly review server logs for signs of exploitation attempts.
- Apply a robust file upload policy to limit sizes and validate content.
- Regularly update all your software’s to address security vulnerabilities
References:
Recent Comments