Apache Ignite security advisories
Security information for Apache Ignite
Reporting
Do you want disclose a potential security issue for Apache Ignite? You can read more about the projects’ security policy on their security page, and email your report to the Apache Ignite Security Team.
Advisories
This section is experimental: it provides advisories since 2023 and may lag behind the official CVE publications. It may also lack details found on the project security page. If you have any feedback on how you would like this data to be provided, you are welcome to reach out on our public mailinglist or privately on security@apache.org
REST HTTP arbitrary file read vulnerability
CVE-2025-48977 [CVE] [CVE json] [OSV json]
Last updated: 2026-05-28T08:58:05.304Z
Affected
- Apache Ignite from 2.0.0 through 2.17.0
Description
Relative Path Traversal vulnerability in Apache Ignite REST API.
Authenticated REST API users can read any file on the server with "cmd=log" command and a log path crafted in a certain way.This issue affects Apache Ignite: from 2.0.0 through 2.17.0.
Users are recommended to upgrade to version 2.18.0, which fixes the issue.
References
Possible RCE when deserializing incoming messages by the server node
CVE-2024-52577 [CVE] [CVE json] [OSV json]
Last updated: 2025-02-14T09:55:31.279Z
Affected
- Apache Ignite from 2.6.0 before 2.17.0
Description
In Apache Ignite versions from 2.6.0 and before 2.17.0, configured Class Serialization Filters are ignored for some Ignite endpoints. The vulnerability could be exploited if an attacker manually crafts an Ignite message containing a vulnerable object whose class is present in the Ignite server classpath and sends it to Ignite server endpoints. Deserialization of such a message by the Ignite server may result in the execution of arbitrary code on the Apache Ignite server side.
References
Credits
- zhattatey (zhattatey@gmail.com) (finder)
- zhattatey (zhattatey@gmail.com) (reporter)
- Mikhail Petrov (mpetrov@apache.org) (remediation developer)
- Alex Plehanov (plehanov.alex@gmail.com) (remediation reviewer)