Deserialization of Untrusted Data vulnerability in Apache IoTDB.This issue affects Apache IoTDB: from 0.13.0 through 0.13.4. Users are recommended to upgrade to version 1.2.2, which fixes the issue.
The vulnerability results from improper handling of deserialization of data from untrusted sources. An attacker can send a specially crafted payload to a vulnerable Apache IoTDB endpoint, which will be deserialized without proper validation. This mechanism can lead to arbitrary code execution on the server side.
An attacker can gain full control over the system, including confidentiality, integrity, and availability of data — which corresponds to maximum CVSS component scores (C:H/I:H/A:H). The attack requires no authentication or user interaction.
Apache IoTDB must be urgently updated to version 1.2.2 or later, which eliminates the described vulnerability.
Apache IoTDB in versions 0.13.0 to 0.13.4 inclusive.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HApache Iotdb
APPApache0.13.0 – 0.13.4
Related vulnerabilities
Nieprawidłowa walidacja danych wejściowych w Apache IoTDB — RCE/injection
Krytyczna podatność w Apache IoTDB (CVE-2026-24015)
Apache IoTDB: RCE przez rejestrację złośliwej funkcji UDF z niezaufanego URI
RCE w Apache IoTDB — zdalne wykonanie kodu bez uwierzytelnienia
Improper Authentication vulnerability in Apache Software Foundation Apache IoTDB.This issue affects Apache IoT...