Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-48977

CVE-2025-48977: Apache Ignite Path Traversal Vulnerability

CVE-2025-48977 is a relative path traversal flaw in Apache Ignite REST API that allows authenticated users to read arbitrary files via crafted log paths. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-48977 Overview

CVE-2025-48977 is a relative path traversal vulnerability [CWE-23] affecting the Apache Ignite REST API. Authenticated REST API users can read arbitrary files on the server by issuing a cmd=log command with a maliciously crafted log path. The flaw affects Apache Ignite versions 2.0.0 through 2.17.0. The Apache Ignite project released version 2.18.0 to remediate the issue.

Critical Impact

Authenticated attackers can read any file accessible to the Ignite process user, exposing configuration files, credentials, private keys, and application data on affected nodes.

Affected Products

  • Apache Ignite 2.0.0 through 2.17.0
  • Apache Ignite REST API component (cmd=log handler)
  • Deployments exposing the Ignite REST endpoint to authenticated users

Discovery Timeline

  • 2026-05-28 - CVE-2025-48977 published to the National Vulnerability Database
  • 2026-05-28 - Last updated in NVD database

Technical Details for CVE-2025-48977

Vulnerability Analysis

The vulnerability resides in the Apache Ignite REST API endpoint that handles the cmd=log command. This command is intended to return Apache Ignite log file contents to authenticated callers. The handler accepts a log file path parameter but fails to canonicalize the supplied path before reading the file. An authenticated user can supply a relative path containing ../ sequences to escape the intended log directory. The server then returns the contents of any file the Ignite process can read.

Because the issue is in path resolution rather than authentication, attackers who already hold valid REST API credentials gain a broad file-read primitive. Typical targets include /etc/passwd, Ignite configuration files containing cluster secrets, JKS keystores, SSH private keys, and application-tier credential stores. Read access to such files often supports lateral movement and full cluster compromise.

Root Cause

The root cause is insufficient validation of the log file path parameter passed to the cmd=log handler. The REST API constructs the file path by concatenating user input rather than restricting reads to a fixed log directory. Apache Ignite version 2.18.0 adds path validation to constrain reads to legitimate log file locations.

Attack Vector

Exploitation requires network access to the Apache Ignite REST endpoint and valid authentication credentials. The attacker issues a single HTTP GET or POST request to the REST API with cmd=log and a path parameter containing directory traversal sequences. No user interaction or elevated privileges are required beyond the initial authenticated session. The vulnerability mechanism is documented in the Apache Email Thread announcement.

Detection Methods for CVE-2025-48977

Indicators of Compromise

  • REST API requests to the Apache Ignite endpoint containing cmd=log combined with ../ or URL-encoded %2e%2e%2f sequences in path parameters.
  • Access log entries showing cmd=log requests with file paths outside the standard Ignite log directory.
  • Unexpected reads of sensitive files such as /etc/passwd, /etc/shadow, or Ignite configuration files by the Ignite process.

Detection Strategies

  • Inspect HTTP access logs for the Ignite REST listener and alert on cmd=log requests whose path parameter contains traversal tokens or absolute paths.
  • Correlate authenticated REST API sessions with file-read system calls on the Ignite host to detect reads outside the configured log directory.
  • Apply Web Application Firewall rules that block path traversal patterns on the Ignite REST endpoint.

Monitoring Recommendations

  • Forward Ignite REST access logs and host file-access telemetry to a centralized log platform for correlation and retention.
  • Baseline normal cmd=log usage by user and source IP, then alert on deviations such as new accounts or atypical client networks.
  • Monitor authentication events on the Ignite cluster for credential compromise that could enable this vulnerability.

How to Mitigate CVE-2025-48977

Immediate Actions Required

  • Upgrade all Apache Ignite nodes to version 2.18.0 or later.
  • Restrict network exposure of the Ignite REST API to trusted management networks only.
  • Rotate any credentials, keys, or secrets stored on Ignite hosts that may have been read by untrusted authenticated users.
  • Audit Ignite REST API user accounts and remove any unnecessary or stale credentials.

Patch Information

Apache Ignite version 2.18.0 fixes the path traversal in the cmd=log handler. Operators running any release in the affected 2.0.0 through 2.17.0 range should plan an immediate upgrade. Refer to the Apache Ignite security announcement for release details.

Workarounds

  • Disable the Ignite REST API on nodes where it is not required by setting the connector to inactive in the node configuration.
  • Place the Ignite REST endpoint behind a reverse proxy that strips or rejects ../ and encoded traversal sequences in request parameters.
  • Restrict REST API authentication to a minimal set of administrative accounts and enforce strong, unique credentials.
bash
# Example: block the Ignite REST API at the host firewall until patched
# Allow only the management subnet 10.10.0.0/24 to reach port 8080
iptables -A INPUT -p tcp --dport 8080 -s 10.10.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne