Apache SeaTunnel security advisories

Security information for Apache SeaTunnel

Reporting

Do you want disclose a potential security issue for Apache SeaTunnel? You can read more about the projects’ security policy on their security page, and email your report to the Apache Security Team.

Advisories

This section is experimental: it provides advisories since 2023 and may lag behind the official CVE publications. It may also lack details found on the project security page. If you have any feedback on how you would like this data to be provided, you are welcome to reach out on our public mailinglist or privately on security@apache.org

Unauthenticated insecure access

CVE-2025-32896 [CVE] [CVE json] [OSV json]

Last updated: 2025-06-19T08:34:42.552Z

Affected

  • Apache SeaTunnel from 2.3.1 through 2.3.10

Description

Summary

Unauthorized users can perform Arbitrary File Read and Deserialization
attack by submit job using restful api-v1.

# Details
Unauthorized users can access /hazelcast/rest/maps/submit-job to submit
job.
An attacker can set extra params in mysql url to perform Arbitrary File
Read and Deserialization attack.

This issue affects Apache SeaTunnel: <=2.3.10

# Fixed

Users are recommended to upgrade to version 2.3.11, and enable restful api-v2 & open https two-way authentication , which fixes the issue.

References

Credits

  • Owen Amadeus (reporter)
  • liyiwei (reporter)

Arbitrary file read vulnerability

CVE-2023-49198 [CVE] [CVE json] [OSV json]

Last updated: 2024-08-21T09:37:50.824Z

Affected

  • Apache SeaTunnel Web at 1.0.0

Description

Mysql security vulnerability in Apache SeaTunnel.

Attackers can read files on the MySQL server by modifying the information in the MySQL URL

allowLoadLocalInfile=true&allowUrlInLocalInfile=true&allowLoadLocalInfileInPath=/&maxAllowedPacket=655360

This issue affects Apache SeaTunnel: 1.0.0.

Users are recommended to upgrade to version [1.0.1], which fixes the issue.

References

Credits

  • jiahua huang (reporter)

Authentication bypass

CVE-2023-48396 [CVE] [CVE json] [OSV json]

Last updated: 2024-07-30T08:15:30.810Z

Affected

  • Apache SeaTunnel Web at 1.0.0

Description

Web Authentication vulnerability in Apache SeaTunnel. Since the jwt key is hardcoded in the application, an attacker can forge any token to log in any user.

Attacker can get secret key in /seatunnel-server/seatunnel-app/src/main/resources/application.yml and then create a token.

This issue affects Apache SeaTunnel: 1.0.0.

Users are recommended to upgrade to version 1.0.1, which fixes the issue.

References

Credits

  • jiahua huang / Joyh (reporter)