oss-security - CVE-2025-48977: Apache Ignite: Rest Http default Arbitrary file read vulnerability

Follow @Openwall on Twitter for new release announcements and other news

Message-ID: <op.3p0w0eboo4kf3i@arzamas-pc>
Date: Thu, 28 May 2026 11:10:52 +0300
From: zstan <zstan@...che.org>
To: security@...che.org
Cc: oss-security@...ts.openwall.com
Subject: CVE-2025-48977: Apache Ignite: Rest Http default Arbitrary file read vulnerability

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected: Apache Ignite from 2.0.0 through 2.17.0.

Impact:
The attacker may be able to create or overwrite critical files that are  
used to execute code, such as programs or libraries.

Description:
Apache Ignite previously validated paths with a simple check like:
src.path().startsWith(ctx.config().getIgniteHome())
This was unsafe because attackers could bypass it using path traversal  
patterns such as:
../, ../../ and so on

As a result, a rest request could potentially access files outside the  
Ignite home directory.

Mitigation:
• All Ignite versions: make sure there are no vulnerable classes among
your custom code used in Apache Ignite.
• Ignite 2.0.0 through 2.17 : upgrade to Ignite 2.18

Credit:
* The vulnerability was discovered by m1sn0w, Pavel Tupitsyn

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.