CVE-2025-66524

Published: Dic 19, 2025 Last Modified: Gen 08, 2026
ExploitDB:
Other exploit source:
Google Dorks:
HIGH 7,5
Source: [email protected]
Attack Vector: network
Attack Complexity: high
Privileges Required: high
User Interaction: none
Confidentiality: N/A
Integrity: N/A
Availability: N/A
HIGH 8,8
Source: [email protected]
Attack Vector: network
Attack Complexity: low
Privileges Required: low
User Interaction: none
Scope: unchanged
Confidentiality: high
Integrity: high
Availability: high

Description

AI Translation Available

Apache NiFi 1.20.0 through 2.6.0 include the GetAsanaObject Processor, which requires integration with a configurable Distribute Map Cache Client Service for storing and retrieving state information. The GetAsanaObject Processor used generic Java Object serialization and deserialization without filtering. Unfiltered Java object deserialization does not provide protection against crafted state information stored in the cache server configured for GetAsanaObject. Exploitation requires an Apache NiFi system running with the GetAsanaObject Processor, and direct access to the configured cache server. Upgrading to Apache NiFi 2.7.0 is the recommended mitigation, which replaces Java Object serialization with JSON serialization. Removing the GetAsanaObject Processor located in the nifi-asana-processors-nar bundle also prevents exploitation.

EPSS (Exploit Prediction Scoring System)

Trend Analysis

EPSS (Exploit Prediction Scoring System)

Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.

EPSS Score
0,0012
Percentile
0,3th
Updated

EPSS Score Trend (Last 87 Days)

502

Deserialization of Untrusted Data

Draft
Abstraction: Base Structure: Simple
Common Consequences
Security Scopes Affected:
Integrity Availability Other
Potential Impacts:
Modify Application Data Unexpected State Dos: Resource Consumption (Cpu) Varies By Context
Applicable Platforms
Languages: Java, JavaScript, PHP, Python, Ruby
Technologies: AI/ML, ICS/OT, Not Technology-Specific
Likelihood of Exploit: Medium
View CWE Details
Application

Nifi by Apache

Product Information
Vendor Apache
Product Nifi
Version 2.7.0
cpe:2.3:a:apache:nifi:2.7.0:rc2:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Nifi by Apache

Product Information
Vendor Apache
Product Nifi
Version 2.7.0
cpe:2.3:a:apache:nifi:2.7.0:rc1:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Nifi by Apache

Product Information
Vendor Apache
Product Nifi
Version Range Affected
From 1.20.0 (inclusive)
To 2.7.0 (exclusive)
cpe:2.3:a:apache:nifi:*:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
http://www.openwall.com/lists/oss-security/2025/12/18/2
http://www.openwall.com/lists/oss-security/2025/12/18/2
https://lists.apache.org/thread/k9h004ydjg7opdvxr0nfywtzf33…
https://lists.apache.org/thread/k9h004ydjg7opdvxr0nfywtzf33z60d7