Apache Hertzbeat security advisories

Security information for Apache Hertzbeat

Reporting

Do you want disclose a potential security issue for Apache Hertzbeat? You can read more about the projects’ security policy on their security page, and email your report to the Apache Security Team.

Advisories

This section is experimental: it provides advisories since 2023 and may lag behind the official CVE publications. It may also lack details found on the project security page. If you have any feedback on how you would like this data to be provided, you are welcome to reach out on our public mailinglist or privately on security@apache.org

Uncontrolled Resource Consumption via Crafted XPath Expressions

CVE-2026-24343 [CVE] [CVE json] [OSV json]

Last updated: 2026-02-09T15:07:42.730Z

Affected

  • Apache HertzBeat from 1.7.1 before 1.8.0

Description

Improper Neutralization of Data within XPath Expressions ('XPath Injection') vulnerability in Apache HertzBeat.

This issue affects Apache HertzBeat: from 1.7.1 before 1.8.0.

Users are recommended to upgrade to version 1.8.0, which fixes the issue.

References

Jmx JNDI injection vulnerability

CVE-2025-48208 [CVE] [CVE json] [OSV json]

Last updated: 2025-09-09T09:31:33.928Z

Affected

  • Apache HertzBeat (incubating) through 1.7.2

Description

Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') vulnerability in Apache HertzBeat .

The attacker needs to have an authenticated account with access, and the attack can only be triggered by crafting custom commands. A successful attack would result in arbitrary script execution.

This issue affects Apache HertzBeat: through 1.7.2.

Users are recommended to upgrade to version [1.7.3], which fixes the issue.

References

Credits

  • F10wers13eiCHeng (finder)
  • aftersnow (finder)

RCE by parse http sitemap xml response

CVE-2025-24404 [CVE] [CVE json] [OSV json]

Last updated: 2025-09-09T09:30:57.298Z

Affected

  • Apache HertzBeat (incubating) before 1.7.0

Description

XML Injection RCE by parse http sitemap xml response vulnerability in Apache HertzBeat.

The attacker needs to have an authenticated account with access, and add monitor parsed by xml, returned special content can trigger the XML parsing vulnerability.

This issue affects Apache HertzBeat (incubating): before 1.7.0.

Users are recommended to upgrade to version 1.7.0, which fixes the issue.

References

Credits

  • unam4 (finder)
  • springkill (finder)
  • Zoiltin (finder)

Server-Side Request Forgery (SSRF) in Api Config Oss

CVE-2024-56736 [CVE] [CVE json] [OSV json]

Last updated: 2025-04-16T15:38:09.273Z

Affected

  • Apache HertzBeat before 1.7.0

Description

Server-Side Request Forgery (SSRF) vulnerability in Apache HertzBeat.

This issue affects Apache HertzBeat (incubating): before 1.7.0.

Users are recommended to upgrade to version 1.7.0, which fixes the issue.

References

Credits

  • tonghuaroot (finder)
  • zyufoye (finder)

Exposure sensitive token via http GET method with query string

CVE-2024-45791 [CVE] [CVE json] [OSV json]

Last updated: 2024-11-18T08:45:21.798Z

Affected

  • Apache HertzBeat before 1.6.1

Description

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache HertzBeat.

This issue affects Apache HertzBeat: before 1.6.1.

Users are recommended to upgrade to version 1.6.1, which fixes the issue.

References

Credits

  • Ícaro Torres (finder)

Exists Native Deser RCE and file writing vulnerabilities

CVE-2024-45505 [CVE] [CVE json] [OSV json]

Last updated: 2024-11-18T08:44:44.304Z

Affected

  • Apache HertzBeat before 1.6.1

Description

Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Apache HertzBeat (incubating).

This vulnerability can only be exploited by authorized attackers.

This issue affects Apache HertzBeat (incubating): before 1.6.1.

Users are recommended to upgrade to version 1.6.1, which fixes the issue.

References

Credits

  • Unam4 (finder)
  • Springkilll (finder)
  • yemoli (finder)
  • yulate (finder)

RCE by snakeYaml deser load malicious xml

CVE-2024-42323 [CVE] [CVE json] [OSV json]

Last updated: 2024-09-21T09:30:13.062Z

Affected

  • Apache HertzBeat before 1.6.0

Description

SnakeYaml Deser Load Malicious xml rce vulnerability in Apache HertzBeat (incubating). 

This vulnerability can only be exploited by authorized attackers.

This issue affects Apache HertzBeat (incubating): before 1.6.0.

Users are recommended to upgrade to version 1.6.0, which fixes the issue.


References

Credits

  • Yulate (reporter)
  • Liufeng Yi (reporter)

RCE by notice template injection vulnerability

CVE-2024-41151 [CVE] [CVE json] [OSV json]

Last updated: 2025-04-16T11:19:50.180Z

Affected

  • Apache HertzBeat before 1.6.1

Description

Deserialization of Untrusted Data vulnerability in Apache HertzBeat.

This vulnerability can only be exploited by authorized attackers.

This issue affects Apache HertzBeat: before 1.6.1.

Users are recommended to upgrade to version 1.6.1, which fixes the issue.

References

Credits

  • Li Yi Wei (finder)
  • Elin Kai (finder)