CVE-2025-48459: Apache IoTDB: Deserialization of untrusted Data

September 24, 2025 (updated September 27, 2025)

Apache IoTDB deserializes data from external inputs without sufficient validation, allowing attacker-controlled serialized objects to be processed. In environments where a compatible gadget chain is reachable, this can be abused to execute arbitrary code or alter server state; at minimum it enables high-impact integrity and confidentiality compromise on the IoTDB process.

References

github.com/advisories/GHSA-776q-jw43-fhjx
github.com/apache/iotdb
github.com/apache/iotdb/commit/5ad4a940ed84abca27c7e8be86cb371a49900491
lists.apache.org/thread/mr84n19nv8d0bmcrfsj3mm5ff5qn4q2f
nvd.nist.gov/vuln/detail/CVE-2025-48459

Code Behaviors & Features

Detect and mitigate CVE-2025-48459 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →