Publish GHSA-776q-jw43-fhjx

advisory-database[bot] · advisory-database[bot] · commit 01a5e466aec8 · 2025-09-27T02:30:17.000Z
diff --git a/advisories/github-reviewed/2025/09/GHSA-776q-jw43-fhjx/GHSA-776q-jw43-fhjx.json b/advisories/github-reviewed/2025/09/GHSA-776q-jw43-fhjx/GHSA-776q-jw43-fhjx.json
@@ -1,17 +1,21 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-776q-jw43-fhjx",
-  "modified": "2025-09-24T18:58:41Z",
+  "modified": "2025-09-27T02:28:53Z",
   "published": "2025-09-24T09:30:19Z",
   "aliases": [
     "CVE-2025-48459"
   ],
   "summary": "Apache IoTDB: Deserialization of untrusted Data",
-  "details": "Deserialization of Untrusted Data vulnerability in Apache IoTDB.\n\nThis issue affects Apache IoTDB: from 1.0.0 before 2.0.5.\n\nUsers are recommended to upgrade to version 2.0.5, which fixes the issue.",
+  "details": "### Summary\n\nApache IoTDB deserializes data from external inputs without sufficient validation, allowing attacker-controlled serialized objects to be processed. In environments where a compatible gadget chain is reachable, this can be abused to execute arbitrary code or alter server state; at minimum it enables high-impact integrity and confidentiality compromise on the IoTDB process.\n\n### Affected\n\nApache IoTDB **from 1.0.0 before 2.0.5**.\n\n### Remediation\n\nUpgrade to **2.0.5**, which addresses the flaw. If immediate upgrade is not possible, restrict exposure of IoTDB endpoints to trusted networks and disable or sanitize any feature paths that accept serialized payloads. These mitigations are defense-in-depth only; upgrading to 2.0.5 is the definitive fix.",
   "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
+    },
     {
       "type": "CVSS_V4",
-      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U"
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"
     }
   ],
   "affected": [
@@ -44,6 +48,10 @@
       "type": "WEB",
       "url": "https://github.com/apache/iotdb/commit/5ad4a940ed84abca27c7e8be86cb371a49900491"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/advisories/GHSA-776q-jw43-fhjx"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/apache/iotdb"
@@ -57,7 +65,7 @@
     "cwe_ids": [
       "CWE-502"
     ],
-    "severity": "HIGH",
+    "severity": "CRITICAL",
     "github_reviewed": true,
     "github_reviewed_at": "2025-09-24T18:58:41Z",
     "nvd_published_at": "2025-09-24T08:15:32Z"
