Apache InLong CVE-2025-27522 Exposes RCE Attacks

A newly disclosed vulnerability, tracked as CVE-2025-27522, has been discovered in Apache InLong, a widely used real-time data streaming platform. The Apache InLong vulnerability introduces the potential for remote code execution (RCE). 

The vulnerability affects Apache InLong versions 1.13.0 through 2.1.0, making a wide range of deployments potentially vulnerable. According to the official Apache security advisory, the flaw results from the deserialization of untrusted data during JDBC verification processing, allowing attackers to exploit how serialized Java objects are handled. 

The Nature of the Apache InLong Vulnerability (CVE-2025-27522) 

Designated as CVE-2025-27522, this vulnerability is classified as moderate in severity, yet its potential impact on production environments is far from trivial. It serves as a secondary mining bypass for a previously disclosed vulnerability, CVE-2024-26579. 

This particular vulnerability stems from insecure handling of serialized data in InLong’s JDBC component. When data is received during JDBC verification, Apache InLong fails to adequately sanitize or validate the contents before deserializing them. Malicious actors could exploit this gap to send specially crafted payloads, which, when deserialized, could trigger unauthorized behavior such as file manipulation or arbitrary code execution. 

Official Disclosure and Technical Insight

The vulnerability was disclosed by security researchers known as yulate and m4x, and was officially published in a message by Charles Zhang to Apache’s developer mailing list on Wednesday, May 28. According to Apache, affected users should immediately upgrade to InLong version 2.2.0 or apply the fix included in GitHub Pull Request #11732. 

The CVE entry for CVE-2025-27522 can be found in the official CVE database. Apache’s GitHub repository includes detailed documentation of the issue and the remediation steps taken in the patch. The patch, merged by contributor dockerzhang on February 9, addressed sensitive parameter bypasses during JDBC processing. 

Security Implications and Exploitation Risk 

While no public proof-of-concept or reports of active exploitation have surfaced, the vulnerability is considered network-exploitable and does not require user interaction, which elevates the risk. The Common Weakness Enumeration (CWE) identifier assigned to this flaw is CWE-502: Deserialization of Untrusted Data—a well-known class of vulnerabilities that has historically led to severe security breaches. 

According to Apache, the CVSS v3.1 base score for CVE-2025-27522 ranges between 5.3 and 6.5, indicating a moderate to high severity level. Given its potential for enabling remote code execution, even moderate CVSS scores warrant serious attention.

Recommended Mitigation Steps 

To mitigate the Apache InLong vulnerability: 

• Upgrade to Apache InLong 2.2.0 immediately. 
• Alternatively, apply the cherry-picked patch #11732 from the Apache GitHub repository. 
• Restrict sources of serialized data and implement input validation and sanitization on all data that may be deserialized. 
• Monitor systems for signs of suspicious deserialization behavior or unauthorized activity. 

A sample secure deserialization code snippet for Java can help reduce similar risks in custom implementations: 

Conclusion 

CVE-2025-27522 highlights how deserialization vulnerabilities can target enterprise systems. Given Apache InLong’s role in managing large-scale data ingestion and distribution, any security flaw, especially one that could lead to remote code execution, requires quick and decisive action. Security teams should prioritize applying the patch or upgrading to Apache InLong 2.2.0, while also reinforcing general deserialization protections across their application stack.  

Related