Apache SeaTunnel security advisories
Security information for Apache SeaTunnel
Reporting
Do you want disclose a potential security issue for Apache SeaTunnel? You can read more about the projects’ security policy on their security page, and email your report to the Apache Security Team.
Advisories
This section is experimental: it provides advisories since 2023 and may lag behind the official CVE publications. It may also lack details found on the project security page. If you have any feedback on how you would like this data to be provided, you are welcome to reach out on our public mailinglist or privately on security@apache.org
Unauthenticated insecure access
CVE-2025-32896 [CVE] [CVE json] [OSV json]
Last updated: 2025-06-19T08:34:42.552Z
Affected
- Apache SeaTunnel from 2.3.1 through 2.3.10
Description
Summary
Unauthorized users can perform Arbitrary File Read and Deserialization
attack by submit job using restful api-v1.
# Details
Unauthorized users can access /hazelcast/rest/maps/submit-job to submit
job.
An attacker can set extra params in mysql url to perform Arbitrary File
Read and Deserialization attack.
This issue affects Apache SeaTunnel: <=2.3.10
# Fixed
Users are recommended to upgrade to version 2.3.11, and enable restful api-v2 & open https two-way authentication , which fixes the issue.
References
- https://lists.apache.org/thread/qvh3zyt1jr25rgvw955rb8qjrnbxfro9
- https://github.com/apache/seatunnel/pull/9010
Credits
- Owen Amadeus (reporter)
- liyiwei (reporter)
Arbitrary file read vulnerability
CVE-2023-49198 [CVE] [CVE json] [OSV json]
Last updated: 2024-08-21T09:37:50.824Z
Affected
- Apache SeaTunnel Web at 1.0.0
Description
Mysql security vulnerability in Apache SeaTunnel.
Attackers can read files on the MySQL server by modifying the information in the MySQL URL
allowLoadLocalInfile=true&allowUrlInLocalInfile=true&allowLoadLocalInfileInPath=/&maxAllowedPacket=655360
This issue affects Apache SeaTunnel: 1.0.0.
Users are recommended to upgrade to version [1.0.1], which fixes the issue.
References
Credits
- jiahua huang (reporter)
Authentication bypass
CVE-2023-48396 [CVE] [CVE json] [OSV json]
Last updated: 2024-07-30T08:15:30.810Z
Affected
- Apache SeaTunnel Web at 1.0.0
Description
Web Authentication vulnerability in Apache SeaTunnel. Since the jwt key is hardcoded in the application, an attacker can forge
any token to log in any user.
Attacker can get secret key in /seatunnel-server/seatunnel-app/src/main/resources/application.yml and then create a token.
This issue affects Apache SeaTunnel: 1.0.0.
Users are recommended to upgrade to version 1.0.1, which fixes the issue.
References
Credits
- jiahua huang / Joyh (reporter)