Apache InLong deserialization vulnerability enables Remote Code Execution through JDBC component
Take action: If you're running Apache InLong versions 1.13.0 through 2.1.0, plan a quick upgrade to version 2.2.0 or apply GitHub Pull Request #11732. If you can't patch, review and restrict access to the service only to trusted sources for serialized data and build additional layers of input validation on serialized data to mitigate exploitation.
Learn More
Apache has addressed a significant security vulnerability in its InLong real-time data streaming platform. The vulnerability affects a wide range of deployments and introduces the potential for remote code execution through unsafe deserialization practices in the platform's JDBC verification component.
The flaw is tracked as CVE-2025-27522 (CVSS score 9.3) and affects Apache InLong versions 1.13.0 through 2.1.0. It stems from the insecure handling of serialized data in InLong's JDBC component. When Apache InLong receives data during JDBC verification, malicious actors can send specially crafted payloads that, when deserialized, could trigger unauthorized behavior such as file manipulation or arbitrary code execution. This vulnerability appears to be a bypass for a previously disclosed vulnerability, CVE-2024-26579.
Given Apache InLong's role in managing large-scale data ingestion and distribution across enterprise environments, any security flaw that could lead to remote code execution requires immediate action.
Apache has addressed this vulnerability in their latest release. Affected users should immediately upgrade to InLong version 2.2.0 or apply the fix included in GitHub Pull Request #11732.
Organizations that cannot immediately upgrade should implement additional security measures including restricting sources of serialized data, implementing strict input validation and sanitization for all deserialization processes, and monitoring systems for signs of suspicious deserialization behavior or unauthorized activity.
