Apache NiFi Vulnerability Exposes MongoDB Credentials to Attackers

A critical security vulnerability has been identified in Apache NiFi, a popular open-source data integration tool.

The vulnerability, tracked as CVE-2025-27017, allows authorized users with read access to the system to view sensitive credentials used to connect to MongoDB databases.

 This security flaw affects multiple versions of Apache NiFi, prompting urgent action from users to protect their systems.

Details of the Vulnerability

The vulnerability causes MongoDB usernames and passwords to be included in NiFi provenance events generated by MongoDB components.

This means that anyone with access to these events can extract the credentials, potentially leading to unauthorized access to MongoDB databases.

The following versions of Apache NiFi are affected:

To mitigate this vulnerability, users are advised to upgrade to Apache NiFi 2.3.0, which removes these sensitive credentials from provenance event records. This version is not affected by this vulnerability.

The exposure of MongoDB credentials can have serious implications for data security.

Unauthorized access to these databases could lead to data breaches, tampering, or other malicious activities. Therefore, it is crucial for users of affected Apache NiFi versions to take immediate action.

Recommendation

Upgrade to Apache NiFi 2.3.0: The latest version of Apache NiFi removes the storage of MongoDB credentials in provenance records, thereby eliminating the risk posed by this vulnerability.

Monitor System Access: Ensure that only authorized personnel have access to the provenance events, minimizing potential exposure of credentials.

The vulnerability was discovered by Robert Creese, who has been credited with identifying and reporting this critical issue.

The Apache NiFi project team has acted swiftly to address the problem, emphasizing the importance of community involvement in maintaining software security.

By taking proactive measures and updating their systems, users can safeguard their data and prevent potential security breaches related to this vulnerability.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.