Apache Hertzbeat security advisories
Security information for Apache Hertzbeat
Reporting
Do you want disclose a potential security issue for Apache Hertzbeat? You can read more about the projects’ security policy on their security page, and email your report to the Apache Security Team.
Advisories
This section is experimental: it provides advisories since 2023 and may lag behind the official CVE publications. It may also lack details found on the project security page. If you have any feedback on how you would like this data to be provided, you are welcome to reach out on our public mailinglist or privately on security@apache.org
Uncontrolled Resource Consumption via Crafted XPath Expressions
CVE-2026-24343 [CVE] [CVE json] [OSV json]
Last updated: 2026-02-09T15:07:42.730Z
Affected
- Apache HertzBeat from 1.7.1 before 1.8.0
Description
Improper Neutralization of Data within XPath Expressions ('XPath Injection') vulnerability in Apache HertzBeat.
This issue affects Apache HertzBeat: from 1.7.1 before 1.8.0.
Users are recommended to upgrade to version 1.8.0, which fixes the issue.
References
Jmx JNDI injection vulnerability
CVE-2025-48208 [CVE] [CVE json] [OSV json]
Last updated: 2025-09-09T09:31:33.928Z
Affected
- Apache HertzBeat (incubating) through 1.7.2
Description
Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') vulnerability in Apache HertzBeat .
The attacker needs to have an authenticated account with access, and the attack can only be triggered by crafting custom commands. A successful attack would result in arbitrary script execution.
This issue affects Apache HertzBeat: through 1.7.2.
Users are recommended to upgrade to version [1.7.3], which fixes the issue.
References
Credits
- F10wers13eiCHeng (finder)
- aftersnow (finder)
RCE by parse http sitemap xml response
CVE-2025-24404 [CVE] [CVE json] [OSV json]
Last updated: 2025-09-09T09:30:57.298Z
Affected
- Apache HertzBeat (incubating) before 1.7.0
Description
XML Injection RCE by parse http sitemap xml response vulnerability in Apache HertzBeat.
The attacker needs to have an authenticated account with access, and add monitor parsed by xml, returned special content can trigger the XML parsing vulnerability.
This issue affects Apache HertzBeat (incubating): before 1.7.0.
Users are recommended to upgrade to version 1.7.0, which fixes the issue.
References
Credits
- unam4 (finder)
- springkill (finder)
- Zoiltin (finder)
Server-Side Request Forgery (SSRF) in Api Config Oss
CVE-2024-56736 [CVE] [CVE json] [OSV json]
Last updated: 2025-04-16T15:38:09.273Z
Affected
- Apache HertzBeat before 1.7.0
Description
Server-Side Request Forgery (SSRF) vulnerability in Apache HertzBeat.
This issue affects Apache HertzBeat (incubating): before 1.7.0.
Users are recommended to upgrade to version 1.7.0, which fixes the issue.
References
- https://lists.apache.org/thread/kdzg36h9yxp0q0n4lhcfppxntjy8rj1x
- https://lists.apache.org/thread/lwfhsllos1rx9v8k0yhl252cbpqpn0sv
Credits
- tonghuaroot (finder)
- zyufoye (finder)
Exposure sensitive token via http GET method with query string
CVE-2024-45791 [CVE] [CVE json] [OSV json]
Last updated: 2024-11-18T08:45:21.798Z
Affected
- Apache HertzBeat before 1.6.1
Description
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache HertzBeat.
This issue affects Apache HertzBeat: before 1.6.1.
Users are recommended to upgrade to version 1.6.1, which fixes the issue.
References
- https://lists.apache.org/thread/jmbsfjsvrfnvosh1ftrm3ry4j3sb7doz
- https://lists.apache.org/thread/lvsczrp8kdynppmzyxtkh4ord4gpw1ph
Credits
- Ícaro Torres (finder)
Exists Native Deser RCE and file writing vulnerabilities
CVE-2024-45505 [CVE] [CVE json] [OSV json]
Last updated: 2024-11-18T08:44:44.304Z
Affected
- Apache HertzBeat before 1.6.1
Description
Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Apache HertzBeat (incubating).
This vulnerability can only be exploited by authorized attackers.This issue affects Apache HertzBeat (incubating): before 1.6.1.
Users are recommended to upgrade to version 1.6.1, which fixes the issue.
References
- https://lists.apache.org/thread/h8k14o1bfyod66p113pkgnt1s52p6p19
- https://lists.apache.org/thread/gvbc68krhqhht7mkkkx7k13k6k6fdhy0
Credits
- Unam4 (finder)
- Springkilll (finder)
- yemoli (finder)
- yulate (finder)
RCE by snakeYaml deser load malicious xml
CVE-2024-42323 [CVE] [CVE json] [OSV json]
Last updated: 2024-09-21T09:30:13.062Z
Affected
- Apache HertzBeat before 1.6.0
Description
SnakeYaml Deser Load Malicious xml rce vulnerability in Apache HertzBeat (incubating).
This vulnerability can only be exploited by authorized attackers.This issue affects Apache HertzBeat (incubating): before 1.6.0.
Users are recommended to upgrade to version 1.6.0, which fixes the issue.
References
- https://lists.apache.org/thread/r0c4tost4bllqc1n9q6rmzs1slgsq63t
- https://lists.apache.org/thread/dwpwm572sbwon1mknlwhkpbom2y7skbx
Credits
- Yulate (reporter)
- Liufeng Yi (reporter)
RCE by notice template injection vulnerability
CVE-2024-41151 [CVE] [CVE json] [OSV json]
Last updated: 2025-04-16T11:19:50.180Z
Affected
- Apache HertzBeat before 1.6.1
Description
Deserialization of Untrusted Data vulnerability in Apache HertzBeat.
This vulnerability can only be exploited by authorized attackers.This issue affects Apache HertzBeat: before 1.6.1.
Users are recommended to upgrade to version 1.6.1, which fixes the issue.
References
- https://lists.apache.org/thread/p33tg0vo5nh6kscth4262ktsqo3h5lqo
- https://lists.apache.org/thread/oor9nw6nh2ojnfw8d8oxrv40cbtk5mwj
Credits
- Li Yi Wei (finder)
- Elin Kai (finder)