CVE-2024-24780

Remote Code Execution with untrusted URI of UDF vulnerability in Apache IoTDB. The attacker who has privilege to create UDF can register malicious function from untrusted URI.

This issue affects Apache IoTDB: from 1.0.0 before 1.3.4.

Users are recommended to upgrade to version 1.3.4, which fixes the issue.

Published: May 14, 2025
Updated: Jun 30, 2025
CVE: CVE-2024-24780
GHSA: GHSA-f4rq-f4j9-f6rm
Severity: Critical
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWEs:

CWE-94

Affected Software
References

Software	From	Fixed in
org.apache.iotdb / iotdb-core	1.0.0	1.3.4

http://www.openwall.com/lists/oss-security/2025/05/14/2
https://github.com/apache/iotdb/pull/14365
https://lists.apache.org/thread/xphtm98v3zsk9vlpfh481m1ry2ctxvmj

Vulnerability Database

289,697

CVE-2024-24780