Remote Code Execution with untrusted URI of UDF vulnerability in Apache IoTDB. The attacker who has privilege to create UDF can register malicious function from untrusted URI. This issue affects Apache IoTDB: from 1.0.0 before 1.3.4. Users are recommended to upgrade to version 1.3.4, which fixes the issue.
Apache IoTDB allows users to register custom user-defined functions (UDF) by providing a URI pointing to a file with the function implementation. This mechanism does not sufficiently verify the trustworthiness of the provided URI, allowing an attacker with UDF creation privileges to point to a malicious external resource. Loading and executing code from such an untrusted URI leads to arbitrary code execution on the server side (RCE). The vulnerability is classified as CWE-94, which is uncontrolled code modification/injection.
An attacker can achieve full remote code execution (RCE) on the Apache IoTDB server, which may lead to violation of confidentiality, integrity and availability of data and the entire system.
Apache IoTDB should be updated to version 1.3.4, which contains a fix eliminating this vulnerability. Additionally, it is recommended to review and restrict permissions to create UDF exclusively to trusted users.
Apache IoTDB in versions from 1.0.0 to 1.3.3 (before version 1.3.4)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HApache Iotdb
APPApache1.0.0 – 1.3.4 (bez)
Related vulnerabilities
Krytyczna podatność w Apache IoTDB (CVE-2026-24015)
Nieprawidłowa walidacja danych wejściowych w Apache IoTDB — RCE/injection
RCE w Apache IoTDB — zdalne wykonanie kodu bez uwierzytelnienia
Deserializacja niezaufanych danych w Apache IoTDB (RCE)
Improper Authentication vulnerability in Apache Software Foundation Apache IoTDB.This issue affects Apache IoT...