8.7
/ 10
HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/U:Red
Description
A remote code execution (RCE) vulnerability exists in Google Cloud Data Fusion.
A user with permissions to upload artifacts to a Data Fusion instance can execute arbitrary code within the core AppFabric component.
This could allow the attacker to gain control over the Data Fusion instance, potentially leading to unauthorized access to sensitive data, modification of data pipelines, and exploration of the underlying infrastructure.
The following CDAP versions include the necessary update to protect against this vulnerability: * 6.10.6+
* 6.11.1+
Users must immediately upgrade to them, or greater ones, available at: https://github.com/cdapio/cdap-build/releases .
A user with permissions to upload artifacts to a Data Fusion instance can execute arbitrary code within the core AppFabric component.
This could allow the attacker to gain control over the Data Fusion instance, potentially leading to unauthorized access to sensitive data, modification of data pipelines, and exploration of the underlying infrastructure.
The following CDAP versions include the necessary update to protect against this vulnerability: * 6.10.6+
* 6.11.1+
Users must immediately upgrade to them, or greater ones, available at: https://github.com/cdapio/cdap-build/releases .
AI Analysis
Arbitrary code execution in Google Cloud Data Fusion via malicious artifact upload
Basic Information
ID
CVE-2025-9571
Source
GoogleCloud
Published
Dec 10, 2025 at 07:02
Affected Product
Vendor
Google Cloud
Product
Cloud Data Fusion
Affected Versions
Google Cloud Cloud Data Fusion 0
Google Cloud Cloud Data Fusion 0
Google Cloud Cloud Data Fusion 0
CWE Classification
AI Assessment
AI Score
8.7 / 10
AI Severity
High
Vendor
Google Cloud
Product
Cloud Data Fusion
Version
6.10.6, 6.11.1