Apache Ignite security advisories

Security information for Apache Ignite

Reporting

Do you want disclose a potential security issue for Apache Ignite? You can read more about the projects’ security policy on their security page, and email your report to the Apache Ignite Security Team.

Advisories

This section is experimental: it provides advisories since 2023 and may lag behind the official CVE publications. It may also lack details found on the project security page. If you have any feedback on how you would like this data to be provided, you are welcome to reach out on our public mailinglist or privately on security@apache.org

REST HTTP arbitrary file read vulnerability

CVE-2025-48977 [CVE] [CVE json] [OSV json]

Last updated: 2026-05-28T08:58:05.304Z

Affected

  • Apache Ignite from 2.0.0 through 2.17.0

Description

Relative Path Traversal vulnerability in Apache Ignite REST API.

Authenticated REST API users can read any file on the server with "cmd=log" command and a log path crafted in a certain way.

This issue affects Apache Ignite: from 2.0.0 through 2.17.0.

Users are recommended to upgrade to version 2.18.0, which fixes the issue.

References

Possible RCE when deserializing incoming messages by the server node

CVE-2024-52577 [CVE] [CVE json] [OSV json]

Last updated: 2025-02-14T09:55:31.279Z

Affected

  • Apache Ignite from 2.6.0 before 2.17.0

Description

In Apache Ignite versions from 2.6.0 and before 2.17.0, configured Class Serialization Filters are ignored for some Ignite endpoints. The vulnerability could be exploited if an attacker manually crafts an Ignite message containing a vulnerable object whose class is present in the Ignite server classpath and sends it to Ignite server endpoints. Deserialization of such a message by the Ignite server may result in the execution of arbitrary code on the Apache Ignite server side.


References

Credits