Apache Lucene.NET security advisories

Security information for Apache Lucene.NET

Reporting

Do you want disclose a potential security issue for Apache Lucene.NET? Send your report to the Apache Security Team.

Advisories

This section is experimental: it provides advisories since 2023 and may lag behind the official CVE publications. If you have any feedback on how you would like this data to be provided, you are welcome to reach out on our public mailinglist or privately on security@apache.org

XXE vulnerability in Lucene.Net.Analysis.Common PatternParser

CVE-2026-47898 [CVE] [CVE json] [OSV json]

Last updated: 2026-07-03T07:47:36.852Z

Affected

  • Apache Lucene.Net from 4.8.0-beta00005 before 4.8.0-beta00018

Description

Improper Restriction of XML External Entity Reference vulnerability in Apache Lucene.Net (Lucene.Net.Analysis.Common library).

This issue affects Apache Lucene.Net.Analysis.Common: from 4.8.0-beta00005 before 4.8.0-beta00018.

Users are recommended to upgrade to version 4.8.0-beta00018, which fixes the issue.

References

Credits

  • Daniel Cervera (reporter)
  • Paul Irwin (coordinator)
  • Shad Storhaug (remediation reviewer)

Arbitrary file write from malicious server to Lucene.Net.Replicator client

CVE-2026-47897 [CVE] [CVE json] [OSV json]

Last updated: 2026-07-03T07:48:10.017Z

Affected

  • Apache Lucene.Net from 4.8.0-beta00005 before 4.8.0-beta00018

Description

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache Lucene.Net (Lucene.Net.Replicator library).

This issue affects Apache Lucene.Net.Replicator: from 4.8.0-beta00005 before 4.8.0-beta00018.

Users are recommended to upgrade to version 4.8.0-beta00018, which fixes the issue.

References

Credits

  • Daniel Cervera (reporter)
  • Paul Irwin (coordinator)
  • Shad Storhaug (remediation reviewer)

Unauthenticated arbitrary file read on the Lucene.Net.Replicator replication server

CVE-2026-47896 [CVE] [CVE json] [OSV json]

Last updated: 2026-07-03T07:48:34.009Z

Affected

  • Apache Lucene.Net from 4.8.0-beta00005 before 4.8.0-beta00018

Description

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache Lucene.Net (Lucene.Net.Replicator library).

This issue affects Apache Lucene.Net.Replicator: from 4.8.0-beta00005 through 4.8.0-beta00017.

Users are recommended to upgrade to version 4.8.0-beta00018, which fixes the issue.

References

Credits

  • Daniel Cervera (reporter)
  • Paul Irwin (coordinator)
  • Shad Storhaug (remediation reviewer)

Remote Code Execution in Lucene.Net.Replicator

CVE-2024-43383 [CVE] [CVE json] [OSV json]

Last updated: 2024-10-31T09:57:26.362Z

Affected

  • Apache Lucene.Net.Replicator from 4.8.0-beta00005 through 4.8.0-beta00016

Description

Deserialization of Untrusted Data vulnerability in Apache Lucene.Net.Replicator.

This issue affects Apache Lucene.NET's Replicator library: from 4.8.0-beta00005 through 4.8.0-beta00016.

An attacker that can intercept traffic between a replication client and server, or control the target replication node URL, can provide a specially-crafted JSON response that is deserialized as an attacker-provided exception type. This can result in remote code execution or other potential unauthorized access.

Users are recommended to upgrade to version 4.8.0-beta00017, which fixes the issue.

References

Credits

  • Summ3r, Vidar-Team (reporter)
  • Apache Lucene (remediation developer)