CVE-2025-24860 Overview
CVE-2025-24860 is an Incorrect Authorization vulnerability in Apache Cassandra that allows authenticated users to access datacenters or IP/CIDR groups they should not have access to when using CassandraNetworkAuthorizer or CassandraCIDRAuthorizer. Users with restricted data center access can escalate their permissions by executing data control language (DCL) statements on affected versions, effectively bypassing network-level access controls.
Critical Impact
Authenticated users can modify their own permissions via DCL statements to gain unauthorized access to restricted datacenters and network segments, potentially exposing sensitive data across the distributed database cluster.
Affected Products
- Apache Cassandra 4.0.0 through 4.0.15 (CassandraNetworkAuthorizer)
- Apache Cassandra 4.1.0 through 4.1.7 (CassandraNetworkAuthorizer)
- Apache Cassandra 5.0.0 through 5.0.2 (CassandraNetworkAuthorizer and CassandraCIDRAuthorizer)
Discovery Timeline
- 2025-02-04 - CVE-2025-24860 published to NVD
- 2025-06-09 - Last updated in NVD database
Technical Details for CVE-2025-24860
Vulnerability Analysis
This vulnerability stems from improper authorization enforcement in Apache Cassandra's network authorization components. When CassandraNetworkAuthorizer or CassandraCIDRAuthorizer is configured to restrict user access to specific datacenters or IP/CIDR ranges, the authorization logic fails to properly validate permission modifications initiated by authenticated users themselves.
The flaw allows users who already have limited access to the cluster to manipulate their own access controls through DCL statements. This self-modification capability was not intended by the authorization design and represents a significant break in the security model for multi-datacenter Cassandra deployments that rely on network-level access restrictions.
Organizations using these authorizers to segment access across datacenters for compliance, data sovereignty, or security isolation purposes are particularly at risk, as the intended access boundaries can be circumvented.
Root Cause
The root cause is classified as CWE-863 (Incorrect Authorization). The CassandraNetworkAuthorizer and CassandraCIDRAuthorizer components do not properly enforce authorization checks when users attempt to modify their own permission grants via DCL statements. The authorization logic assumes that permission modifications should be restricted to administrators, but fails to block self-modification attempts from users with restricted datacenter access.
Attack Vector
The attack vector is network-based and requires low-privilege authenticated access to the Cassandra cluster. An attacker with legitimate but restricted credentials can exploit this vulnerability by:
- Authenticating to the Cassandra cluster with valid credentials that have limited datacenter access
- Executing DCL statements (such as GRANT or authorization modification commands) to alter their own network-level permissions
- Gaining access to previously restricted datacenters or IP/CIDR groups
- Querying or modifying data in datacenters they were not authorized to access
The vulnerability requires no user interaction and can be exploited directly through the CQL (Cassandra Query Language) interface.
Detection Methods for CVE-2025-24860
Indicators of Compromise
- Unexpected permission changes in the system_auth.role_permissions table for users with network-restricted access
- Audit log entries showing DCL statements (GRANT, REVOKE, or authorization-related commands) executed by non-administrative users
- Users accessing datacenters or keyspaces outside their originally assigned network boundaries
- Anomalous cross-datacenter query patterns from accounts with previously restricted access
Detection Strategies
- Enable and review Cassandra audit logging to capture all DCL statement executions and identify unauthorized permission modifications
- Implement periodic snapshots and comparisons of the system_auth keyspace to detect permission drift
- Configure alerting on authorization-related queries executed by non-superuser accounts
- Deploy network monitoring to identify cross-datacenter traffic patterns that violate expected access policies
Monitoring Recommendations
- Monitor the system_auth.role_permissions and system_auth.network_permissions tables for unexpected modifications
- Set up alerts for any GRANT or permission modification statements from users without administrative privileges
- Review datacenter access patterns and flag accounts accessing datacenters not in their original permission set
- Correlate authentication events with subsequent authorization queries to identify privilege escalation attempts
How to Mitigate CVE-2025-24860
Immediate Actions Required
- Upgrade Apache Cassandra to patched versions: 4.0.16, 4.1.8, or 5.0.3 depending on your current major version
- Review all user permissions in system_auth tables to identify any unauthorized permission modifications that may have already occurred
- Audit access logs for evidence of datacenter boundary violations by restricted users
- Consider temporarily disabling non-essential user accounts until the patch is applied
Patch Information
Apache has released security patches that address this authorization bypass vulnerability. Operators should upgrade to the following fixed versions:
- Apache Cassandra 4.0.16 (for 4.0.x deployments)
- Apache Cassandra 4.1.8 (for 4.1.x deployments)
- Apache Cassandra 5.0.3 (for 5.0.x deployments)
For detailed information, refer to the Apache Mailing List Thread and the NetApp Security Advisory.
Workarounds
- Restrict CQL access to trusted networks and administrative hosts only until patching is complete
- Implement additional network-level controls (firewalls, VPNs) to limit cluster access while waiting to patch
- Review and revoke unnecessary user accounts and minimize the number of users with cluster access
- Enable comprehensive audit logging to detect any exploitation attempts before patches can be applied
# Review current network authorizer configuration
grep -E "authorizer|network_authorizer" /etc/cassandra/cassandra.yaml
# Check for unexpected permission modifications (run via cqlsh)
# SELECT * FROM system_auth.role_permissions;
# Verify current Cassandra version
nodetool version
# After patching, restart the Cassandra service
sudo systemctl restart cassandra
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
