CVE-2025-58337: Apache Doris-MCP-Server: Improper Access Control results in bypassing a "read-only" mode
(updated )
An attacker with a valid read-only account can bypass Doris MCP Server’s read-only mode due to improper access control, allowing modifications that should have been prevented by read-only restrictions.
Impact:
Bypasses read-only mode; attackers with read-only access may perform unauthorized modifications.
Recommended action for operators: Upgrade to version 0.6.0 as soon as possible (this release contains the fix).
References
- github.com/advisories/GHSA-m35w-xx8c-6xc7
- github.com/apache/doris-mcp-server
- github.com/apache/doris-mcp-server/commit/5923cc1c8973069a6d54eca1948a10488cbf409e
- lists.apache.org/thread/6tswlphj0pqn9zf25594r3c1vzvfj40h
- nvd.nist.gov/vuln/detail/CVE-2025-58337
- security.snyk.io/vuln/SNYK-PYTHON-DORISMCPSERVER-13835132
Code Behaviors & Features
Detect and mitigate CVE-2025-58337 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →