Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CAGkkoszsB3A5=OZ5_nToZfHTxUuT+k3QS69cLK0cuzE_+JcDUA@mail.gmail.com>
Date: Tue, 9 Dec 2025 17:27:28 +0800
From: VGalaxies <vgalaxies@...che.org>
To: oss-security@...ts.openwall.com, announce@...che.org, 
	dev@...egraph.apache.org
Subject: CVE-2025-26866: Apache HugeGraph-Server: RAFT and deserialization vulnerability

Severity: moderate

Affected versions:

- Apache HugeGraph-Server 1.0.0 ~ 1.5.0 (before 1.7.0)

Description:

A remote code execution vulnerability exists where a malicious Raft
node can exploit insecure Hessian deserialization within the PD store.
The fix enforces IP-based authentication to restrict cluster
membership and implements a strict class whitelist to harden the
Hessian serialization process against object injection attacks.

Users are recommended to upgrade to version 1.7.0, which fixes the issue.

Credit:

- shukuang (reporter)
- yulate (reporter)
- X1r0z (reporter)
- haohao0103 (remediation developer)

References:

- https://hugegraph.apache.org/docs/guides/security/
- https://lists.apache.org/thread/6f502dvyrckwp8tz2k73zlko8qr7wt5x
- https://github.com/apache/incubator-hugegraph/pull/2735
- https://www.cve.org/CVERecord?id=CVE-2025-26866

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.