Apache EventMesh security advisories

Security information for Apache EventMesh

Reporting

Do you want disclose a potential security issue for Apache EventMesh? Send your report to the Apache Security Team.

Advisories

This section is experimental: it provides advisories since 2023 and may lag behind the official CVE publications. If you have any feedback on how you would like this data to be provided, you are welcome to reach out on our public mailinglist or privately on security@apache.org

raft Hessian Deserialization Vulnerability allowing remote code execution

CVE-2024-56180 [CVE] [CVE json] [OSV json]

Last updated: 2025-02-14T15:26:18.633Z

Affected

  • Apache EventMesh from 1.10.1 before 1.11.0

Description

CWE-502 Deserialization of Untrusted Data at the eventmesh-meta-raft plugin module in Apache EventMesh master branch without release version on windows\linux\mac os e.g. platforms allows attackers to send controlled message and remote code execute via hessian deserialization rpc protocol. Users can use the code under the master branch in project repo or version 1.11.0 to fix this issue.

References

Credits

  • yulate (reporter)
  • Au5t1n (reporter)
  • h3h3qaq (reporter)
  • X1r0z (reporter)

SSRF

CVE-2024-39954 [CVE] [CVE json] [OSV json]

Last updated: 2025-08-20T08:56:38.252Z

Affected

  • Apache EventMesh Runtime from 1.6.0 through 1.11.0

Description

CWE-918 Server-Side Request Forgery (SSRF) in eventmesh-runtime module in WebhookUtil.java on windows\linux\mac os e.g. allows the attacker can abuse functionality on the server to read or update internal resources.
Users are recommended to upgrade to version 1.12.0 or use the master branch , which fixes this issue.

References

Credits

Apache EventMesh RabbitMQ-Connector plugin allows RCE through deserialization of untrusted data

CVE-2023-26512 [CVE] [CVE json] [OSV json]

Last updated: 2023-07-27T09:32:16.269Z

Affected

  • Apache EventMesh (incubating) RabbitMQ connector from 1.7.0 through 1.8.0

Description

CWE-502 Deserialization of Untrusted Data at the rabbitmq-connector plugin module in Apache EventMesh (incubating) V1.7.0\V1.8.0 on windows\linux\mac os e.g. platforms allows attackers to send controlled message and

remote code execute via rabbitmq messages. Users can use the code under the master branch in project repo to fix this issue, we will release the new version as soon as possible.

References

Credits

  • xuxiaoyu of HW GTS shengjian lab (reporter)