Ddos 
A newly disclosed vulnerability, CVE-2025-32896, in Apache SeaTunnel—a widely used distributed data integration platform—could allow unauthenticated attackers to read arbitrary files and execute deserialization-based attacks.
SeaTunnel is a next-generation, high-performance data integration engine used for synchronizing massive data volumes across diverse environments. Its trust and adoption by large-scale organizations make this flaw particularly dangerous.
The vulnerability stems from unauthenticated access to a legacy REST API endpoint:
/hazelcast/rest/maps/submit-job
An attacker can exploit this by submitting a job to SeaTunnel using restful api-v1, injecting malicious parameters into a MySQL connection URL. This can lead to:
- Arbitrary File Read from the server’s filesystem
- Remote code execution through unsafe Java object deserialization
“Unauthorized users can perform Arbitrary File Read and Deserialization attack by submit job using restful api-v1,” the Openwall disclosures.
Because this endpoint does not enforce authentication, it provides a wide-open vector for attackers to execute malicious payloads and gain access to sensitive backend resources.
The issue has been patched in Apache SeaTunnel version 2.3.11. Users are advised to:
- Upgrade to 2.3.11 or later
- Enable RESTful API v2 instead of v1
- Activate HTTPS two-way authentication for all SeaTunnel nodes
The fix was implemented via pull request #9010, which updates access control logic and secures the API endpoints.
Related Posts:
- Spring Data REST exists serious flaw that allows remote attackers to execute arbitrary commands
- Bitdefender BOX v1 Vulnerabilities Expose Smart Homes to Remote Attacks
About The Author
