CVE 8.8 HIGH

Apache HugeGraph-Server: RAFT and deserialization vulnerability_CVE-2025-26866

December 12, 2025 invoker category_cve

8.8 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

A remote code execution vulnerability exists where a malicious Raft node can exploit insecure Hessian deserialization within the PD store. The fix enforces IP-based authentication to restrict cluster membership and implements a strict class whitelist to harden the Hessian serialization process against object injection attacks.

Users are recommended to upgrade to version 1.7.0, which fixes the issue.

AI Analysis

Remote code execution vulnerability due to insecure Hessian deserialization

Basic Information

ID CVE-2025-26866

Source apache

Published Dec 12, 2025 at 09:23

Modified Dec 12, 2025 at 16:45

Affected Product

Vendor Apache Software Foundation

Product Apache HugeGraph-Server

Version 1.0.0

Affected Versions Apache Software Foundation Apache HugeGraph-Server 1.0.0

CWE Classification

CWE-502

AI Assessment

AI Score 8.8 / 10

AI Severity High

Vendor Apache Software Foundation

Product Apache HugeGraph-Server

Version 1.0.0

References

{
    "lastseen": "",
    "description": "A remote code execution vulnerability exists where a malicious Raft node can exploit insecure Hessian deserialization within the PD store. The fix enforces IP-based authentication to restrict cluster membership and implements a strict class whitelist to harden the Hessian serialization process against object injection attacks.\n\n\n\n\nUsers are recommended to upgrade to version 1.7.0, which fixes the issue.",
    "published": "2025-12-12T09:23:07.681Z",
    "modified": "2025-12-12T16:45:21.252Z",
    "type": "cve",
    "title": "Apache HugeGraph-Server: RAFT and deserialization vulnerability",
    "source": "apache",
    "references": "https://github.com/apache/incubator-hugegraph/pull/2735\nhttps://lists.apache.org/thread/ko8jkwbjbb99m45pg4sgo5xsm8gx9nsq",
    "id": "CVE-2025-26866",
    "bulletinFamily": "",
    "cwe": [
        "CWE-502"
    ],
    "cvelist": null,
    "sourceData": "Apache Software Foundation Apache HugeGraph-Server 1.0.0",
    "sourceHref": "",
    "cvss": {
        "score": 8.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Apache HugeGraph-Server",
    "version": "1.0.0",
    "vendor": "Apache Software Foundation",
    "ai_description": "Remote code execution vulnerability due to insecure Hessian deserialization",
    "ai_severity": "High",
    "ai_vendor": "Apache Software Foundation",
    "ai_product": "Apache HugeGraph-Server",
    "ai_version": "1.0.0",
    "ai_score": 8.8
}

💭 Join the Security Discussion ❌ Cancel Reply