Vulnerability Database

309,237

Total vulnerabilities in the database

CVE-2025-32896

Summary

Unauthorized users can perform Arbitrary File Read and Deserialization attack by submit job using restful api-v1.

Details

Unauthorized users can access /hazelcast/rest/maps/submit-job to submit job. An attacker can set extra params in mysql url to perform Arbitrary File Read and Deserialization attack.

This issue affects Apache SeaTunnel: <=2.3.10

Fixed

Users are recommended to upgrade to version 2.3.11, and enable restful api-v2 & open https two-way authentication , which fixes the issue.

Published: Jun 19, 2025
Updated: Nov 24, 2025
CVE: CVE-2025-32896
GHSA: GHSA-9x53-gr7p-4qf5
Severity: Low
Exploit:

CVSS v3:

Severity: Medium
Score: 6.5
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWEs:

CWE-306

Affected Software
References

Software	From	Fixed in
org.apache.seatunnel / seatunnel-engine-server	-	2.3.11
org.apache.seatunnel / seatunnel-engine-common	-	2.3.11
apache / seatunnel	2.3.1	2.3.11

Deep Security Visibility Without the Complexity

SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.

No setup fees
5-min deployment
Cancel anytime

Book a Demo