Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-29847

CVE-2025-29847: Apache Linkis Auth Bypass Vulnerability

CVE-2025-29847 is an authentication bypass flaw in Apache Linkis that allows unauthorized access to system files via JDBC parameters. This article covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2025-29847 Overview

A vulnerability exists in Apache Linkis that allows attackers to bypass security checks through multiple rounds of URL encoding in the JDBC engine and data source functionality. When URL parameters configured on the frontend undergo multiple URL encoding iterations, the system's validation checks can be circumvented, enabling unauthorized access to system files via JDBC parameters.

Critical Impact

This input validation bypass vulnerability allows network-based attackers to gain unauthorized access to sensitive system files without authentication, potentially exposing confidential data and configuration information.

Affected Products

  • Apache Linkis versions 1.3.0 through 1.7.0
  • Systems using the JDBC engine and data source functionality
  • Deployments with frontend-configurable URL parameters

Discovery Timeline

  • 2026-01-19 - CVE-2025-29847 published to NVD
  • 2026-01-20 - Last updated in NVD database

Technical Details for CVE-2025-29847

Vulnerability Analysis

This vulnerability stems from improper input validation (CWE-20) in Apache Linkis's JDBC engine. The flaw allows attackers to bypass security controls that would normally prevent unauthorized file access through JDBC connection parameters.

The vulnerability is exploitable remotely over the network without requiring authentication or user interaction. An attacker can craft specially encoded URL parameters that evade the system's security checks, ultimately gaining read access to arbitrary system files. This could expose sensitive configuration files, credentials, or other confidential information stored on the affected system.

The impact is primarily on confidentiality, as attackers can extract data from the system without affecting its integrity or availability. Organizations running vulnerable versions of Apache Linkis should treat this as a significant security concern, particularly in environments handling sensitive data.

Root Cause

The root cause is insufficient input validation when processing URL-encoded parameters in the JDBC engine. The system performs URL decoding and security checks, but fails to account for scenarios where parameters have been encoded multiple times. After a single round of decoding, the parameter may still contain encoded characters that will be decoded again later in the processing pipeline, bypassing the initial security checks.

The recommended solution is to continuously check if the connection information contains the % character (indicating URL encoding) and perform URL decoding iteratively until no encoded characters remain before applying security validation.

Attack Vector

The attack is network-based and requires no privileges or user interaction. An attacker can exploit this vulnerability by:

  1. Identifying a vulnerable Apache Linkis instance with JDBC engine functionality exposed
  2. Crafting malicious JDBC connection parameters with multiple layers of URL encoding
  3. Submitting the encoded parameters through the frontend configuration interface
  4. The system decodes the parameters once and passes security checks
  5. Subsequent decoding reveals the malicious payload, enabling unauthorized file access

The vulnerability affects the JDBC data source configuration functionality, where URL parameters containing file path references can be manipulated to read arbitrary files from the system.

Detection Methods for CVE-2025-29847

Indicators of Compromise

  • Unusual JDBC connection attempts with heavily URL-encoded parameters containing multiple %25 sequences
  • Log entries showing file access attempts through JDBC connections to unexpected file paths
  • Unexpected data exfiltration patterns following JDBC configuration changes
  • Connection strings containing encoded file path separators or system file references

Detection Strategies

  • Monitor JDBC connection logs for parameters containing multiple levels of URL encoding (nested %25 patterns)
  • Implement alerting for JDBC connection attempts that reference local file system paths
  • Review Apache Linkis access logs for unusual patterns in data source configuration requests
  • Deploy network monitoring to detect suspicious JDBC traffic patterns to sensitive file locations

Monitoring Recommendations

  • Enable detailed logging for all JDBC engine and data source configuration changes
  • Monitor for connection strings that decode to file system paths outside expected directories
  • Track and alert on rapid successive JDBC configuration attempts from the same source
  • Implement baseline monitoring for normal data source access patterns to identify anomalies

How to Mitigate CVE-2025-29847

Immediate Actions Required

  • Upgrade Apache Linkis to version 1.8.0 or later, which contains the fix for this vulnerability
  • If immediate upgrade is not possible, restrict network access to the Apache Linkis JDBC engine interface
  • Review recent JDBC data source configurations for signs of exploitation attempts
  • Implement additional input validation at the network perimeter for URL-encoded parameters

Patch Information

Apache has released version 1.8.0 which addresses this vulnerability by implementing continuous URL decoding checks. The fix ensures that connection information is recursively checked for the % character and decoded until no encoded characters remain before security validation is applied.

Users should upgrade to Apache Linkis 1.8.0 or later. For additional information and discussion about this vulnerability, refer to the Apache Linkis mailing list discussion or the Openwall OSS Security announcement.

Workarounds

  • Implement a Web Application Firewall (WAF) rule to detect and block requests with multiple levels of URL encoding
  • Restrict access to the JDBC engine configuration interface to trusted networks only
  • Disable the JDBC data source functionality if not required for operations
  • Apply network segmentation to limit the exposure of vulnerable Apache Linkis instances

For environments where upgrading is not immediately feasible, administrators should implement strict network controls and monitoring to detect exploitation attempts while planning the upgrade path.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne