A significant security vulnerability has been identified in Apache NiFi, allowing potential attackers with specific access privileges to expose MongoDB authentication credentials.
The vulnerability, tracked as CVE-2025-27017 (NIFI-14272), affects multiple versions of the Apache NiFi data processing system and could potentially lead to unauthorized database access in affected deployments.
The vulnerability stems from Apache NiFi’s improper handling of authentication credentials in its provenance event logging functionality.
Apache NiFi Vulnerability
The security flaw exists in Apache NiFi versions 1.13.0 through 2.2.0, where the system inadvertently includes MongoDB usernames and passwords in the provenance events generated during data processing operations.
Provenance events in NiFi are detailed records of data lineage that track the history of data as it moves through the system’s workflow.
These events, meant to provide transparency and auditability, were unintentionally exposing sensitive authentication information. Security researcher Robert Creese discovered the vulnerability and reported it through proper channels.
The issue is specifically concerning because any authorized NiFi user with read access to provenance events could potentially view these MongoDB credentials.
This exposure creates a significant security risk, as compromised database credentials could lead to unauthorized data access, manipulation, or exfiltration of sensitive information stored in MongoDB databases connected to the NiFi instance.
| Risk Factors | Details |
| Affected Products | Apache NiFi versions 1.13.0 through 2.2.0 Package: org.apache.nifi:nifi-mongodb-services-nar Version range: >= 1.13.0, < 2.3.0 Apache NiFi 2.3.0 is unaffected |
| Impact | Exposure of MongoDB usernames and passwords in provenance events |
| Exploit Prerequisites | Authorized NiFi use, read access to provenance events |
| CVSS 3.0 Score | 6.5 (Medium Severity) |
Impact
Organizations using affected versions of Apache NiFi in conjunction with MongoDB face a potential security risk if unauthorized parties gain access to provenance records.
The exposure of database credentials could compromise the confidentiality and integrity of data managed through these systems. The vulnerability is particularly concerning for organizations in regulated industries or those handling sensitive information.
Apache has addressed this issue in the latest release of NiFi. Version 2.3.0, which is unaffected by this vulnerability, properly removes credentials from provenance event records.
The official recommendation from the Apache NiFi team is to upgrade immediately to version 2.3.0 to mitigate this risk.
For organizations unable to upgrade immediately, implementing strict access controls for provenance data and conducting security audits to detect potential credential exposure are recommended as temporary measures.
Additionally, organizations should consider rotating MongoDB credentials after upgrading to ensure previously exposed credentials can no longer be used for unauthorized access.
This vulnerability serves as a reminder of the importance of comprehensive security auditing across all components of data processing systems, particularly focusing on how authentication credentials are handled throughout the application lifecycle.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
