PyPI: apache-iotdb
CVE-2024-24780
Safety vulnerability ID: SFTY-20250514-36785
Safety legacy ID: pyup.io-78841
Affected versions of the Apache IoTDB package are vulnerable to Remote Code Execution due to insufficient validation of User-Defined Function (UDF) registration sources. The UDF registration mechanism allows privileged users to register functions from external URIs without properly validating or restricting the source locations, enabling the loading and execution of malicious code from untrusted remote sources.
Overview
Apache IoTDB Vulnerable to Remote Code Execution
Advisory
Affected versions of the Apache IoTDB package are vulnerable to Remote Code Execution due to insufficient validation of User-Defined Function (UDF) registration sources. The UDF registration mechanism allows privileged users to register functions from external URIs without properly validating or restricting the source locations, enabling the loading and execution of malicious code from untrusted remote sources.
How to Fix
Mitigation and Workarounds
---
Vulnerable Functions
Functions linked to known vulnerabilities.
References
- https://getsafety.com/vulnerabilities/SFTY-20250514-36785/CVE-2024-24780
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24780
- https://github.com/advisories/GHSA-f4rq-f4j9-f6rm
- https://nvd.nist.gov/vuln/detail/CVE-2024-24780
- https://lists.apache.org/thread/xphtm98v3zsk9vlpfh481m1ry2ctxvmj
- http://www.openwall.com/lists/oss-security/2025/05/14/2
- https://github.com/apache/iotdb/pull/14365
- https://github.com/pypa/advisory-database/tree/main/vulns/apache-iotdb/PYSEC-2025-59.yaml
- https://github.com/advisories/GHSA-f4rq-f4j9-f6rm
Verified by Safety
Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.
Learn more