CVE-2024-24780: Apache IoTDB Vulnerable to Remote Code Execution

May 14, 2025 (updated July 2, 2025)

Remote Code Execution with untrusted URI of UDF vulnerability in Apache IoTDB. The attacker who has privilege to create UDF can register malicious function from untrusted URI.

This issue affects Apache IoTDB: from 1.0.0 before 1.3.4.

Users are recommended to upgrade to version 1.3.4, which fixes the issue.

References

github.com/advisories/GHSA-f4rq-f4j9-f6rm
github.com/apache/iotdb
github.com/apache/iotdb/pull/14365
github.com/pypa/advisory-database/tree/main/vulns/apache-iotdb/PYSEC-2025-59.yaml
lists.apache.org/thread/xphtm98v3zsk9vlpfh481m1ry2ctxvmj
nvd.nist.gov/vuln/detail/CVE-2024-24780

Code Behaviors & Features

Detect and mitigate CVE-2024-24780 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →