Apache EventMesh security advisories
Security information for Apache EventMesh
Reporting
Do you want disclose a potential security issue for Apache EventMesh? Send your report to the Apache Security Team.
Advisories
This section is experimental: it provides advisories since 2023 and may lag behind the official CVE publications. If you have any feedback on how you would like this data to be provided, you are welcome to reach out on our public mailinglist or privately on security@apache.org
raft Hessian Deserialization Vulnerability allowing remote code execution
CVE-2024-56180 [CVE] [CVE json] [OSV json]
Last updated: 2025-02-14T15:26:18.633Z
Affected
- Apache EventMesh from 1.10.1 before 1.11.0
Description
CWE-502 Deserialization of Untrusted Data at the eventmesh-meta-raft plugin module in Apache EventMesh master branch without release version on windows\linux\mac os e.g. platforms allows attackers to send controlled message and remote code execute via hessian deserialization rpc protocol. Users can use the code under the master branch in project repo or version 1.11.0 to fix this issue.
References
Credits
- yulate (reporter)
- Au5t1n (reporter)
- h3h3qaq (reporter)
- X1r0z (reporter)
SSRF
CVE-2024-39954 [CVE] [CVE json] [OSV json]
Last updated: 2025-08-20T08:56:38.252Z
Affected
- Apache EventMesh Runtime from 1.6.0 through 1.11.0
Description
CWE-918 Server-Side Request Forgery (SSRF) in eventmesh-runtime module in WebhookUtil.java on windows\linux\mac os e.g. allows the attacker can abuse functionality on the server to read or update internal resources.
Users are recommended to upgrade to version 1.12.0 or use the master branch , which fixes this issue.
References
Credits
- Mak1r 808 808mak1r@gmail.com (reporter)
Apache EventMesh RabbitMQ-Connector plugin allows RCE through deserialization of untrusted data
CVE-2023-26512 [CVE] [CVE json] [OSV json]
Last updated: 2023-07-27T09:32:16.269Z
Affected
- Apache EventMesh (incubating) RabbitMQ connector from 1.7.0 through 1.8.0
Description
CWE-502 Deserialization of Untrusted Data at the rabbitmq-connector plugin module in Apache EventMesh (incubating) V1.7.0\V1.8.0 on windows\linux\mac os e.g. platforms allows attackers to send controlled message and
remote code execute via rabbitmq messages. Users can use the code under the master branch in project repo to fix this issue, we will release the new version as soon as possible.
References
Credits
- xuxiaoyu of HW GTS shengjian lab (reporter)