PyPI: apache-iotdb
CVE-2025-48459
Safety vulnerability ID: SFTY-20250924-35440
### Summary Apache IoTDB deserializes data from external inputs without sufficient validation, allowing attacker-controlled serialized objects to be processed. In environments where a compatible gadget chain is reachable, this can be abused to execute arbitrary code or alter server state; at minimum it enables high-impact integrity and confidentiality compromise on the IoTDB process. ### Affected Apache IoTDB **from 1.0.0 before 2.0.5**. ### Remediation Upgrade to **2.0.5**, which addresses the flaw. If immediate upgrade is not possible, restrict exposure of IoTDB endpoints to trusted networks and disable or sanitize any feature paths that accept serialized payloads. These mitigations are defense-in-depth only; upgrading to 2.0.5 is the definitive fix.
Overview
Apache IoTDB: Deserialization of untrusted Data
Advisory
Apache IoTDB: Deserialization of untrusted Data
How to Fix
Mitigation and Workarounds
---
Vulnerable Functions
Functions linked to known vulnerabilities.
References
- https://getsafety.com/vulnerabilities/SFTY-20250924-35440/CVE-2025-48459
- https://nvd.nist.gov/vuln/detail/CVE-2025-48459
- https://lists.apache.org/thread/mr84n19nv8d0bmcrfsj3mm5ff5qn4q2f
- https://github.com/apache/iotdb/commit/5ad4a940ed84abca27c7e8be86cb371a49900491
- https://github.com/advisories/GHSA-776q-jw43-fhjx
- http://www.openwall.com/lists/oss-security/2025/09/24/8
- https://github.com/pypa/advisory-database/tree/main/vulns/apache-iotdb/PYSEC-2025-88.yaml
Verified by Safety
Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.
Learn more