CVE-2025-61735 Overview
CVE-2025-61735 is a Server-Side Request Forgery (SSRF) vulnerability [CWE-918] affecting Apache Kylin, the distributed analytics engine designed for online analytical processing (OLAP) on large datasets. The flaw allows an attacker with system or project administrator access to coerce the Kylin server into issuing arbitrary HTTP requests to internal or external resources. The vulnerability impacts Apache Kylin versions 4.0.0 through 5.0.2. The Apache Kylin project has released version 5.0.3 to remediate the issue.
Critical Impact
An authenticated administrator can abuse Apache Kylin to probe internal network services, access cloud metadata endpoints, or exfiltrate data from systems otherwise unreachable from the public network.
Affected Products
- Apache Kylin 4.0.0 through 5.0.2
- Apache Kylin 5.x deployments running prior to 5.0.3
- Environments where Kylin system or project admin access is not strictly controlled
Discovery Timeline
- 2025-10-02 - CVE-2025-61735 published to the National Vulnerability Database
- 2025-11-04 - Last updated in NVD database
Technical Details for CVE-2025-61735
Vulnerability Analysis
Apache Kylin exposes administrative functionality that accepts user-supplied URLs without sufficient validation of the destination host. When an administrator provides a URL, the Kylin backend issues an outbound HTTP request to that target on behalf of the server. Because Kylin runs with network access to internal infrastructure, this primitive can be redirected to internal-only hosts and ports.
The vulnerability requires authenticated access at the system or project administrator level. The Apache advisory explicitly states that deployments with well-protected admin access are not at risk, indicating the attack surface is gated by Kylin's role-based access controls rather than by URL validation in the affected endpoint.
Root Cause
The root cause is missing or insufficient validation of destination URLs supplied to administrative functions in Kylin. The application does not enforce an allowlist of permitted hosts and does not block requests to internal IP ranges, loopback addresses, or cloud metadata services such as 169.254.169.254. As a result, the server acts as an HTTP proxy for the authenticated attacker.
Attack Vector
An attacker who has obtained system or project admin credentials, through phishing, credential reuse, or weak password policies, can submit crafted URLs through Kylin admin functionality. Typical SSRF targets include internal REST APIs, database administration consoles, Kubernetes API servers, and cloud provider instance metadata endpoints. Successful exploitation can expose service tokens, IAM credentials, and internal topology data.
No public proof-of-concept exploit code is currently available for CVE-2025-61735. Refer to the Apache Security Mailing List Thread and the Openwall OSS Security Notice for the vendor disclosure.
Detection Methods for CVE-2025-61735
Indicators of Compromise
- Outbound HTTP connections from the Apache Kylin host to internal IP ranges or 169.254.169.254 that do not match normal query workload patterns
- Unexpected admin-level API calls to Kylin endpoints that accept URL parameters
- Authentication or API requests from the Kylin service account to internal systems that Kylin does not normally interact with
Detection Strategies
- Inspect Kylin access logs for admin API requests containing URL parameters pointing to private address space (RFC 1918), link-local addresses, or non-standard ports
- Correlate Kylin process network telemetry with expected data source endpoints; flag deviations
- Monitor authentication logs for new or unusual admin logins preceding outbound HTTP activity
Monitoring Recommendations
- Forward Kylin application logs and host-level network telemetry to a centralized analytics platform for correlation
- Alert on connections from the Kylin JVM to cloud metadata services or Kubernetes API endpoints
- Track configuration changes to Kylin admin accounts and project membership
How to Mitigate CVE-2025-61735
Immediate Actions Required
- Upgrade Apache Kylin to version 5.0.3 or later, which contains the fix from the Apache Kylin project
- Audit all system and project administrator accounts, revoke unused credentials, and enforce strong authentication
- Restrict network egress from the Kylin host using firewall rules that deny access to internal management plane services and cloud metadata IPs
Patch Information
Apache Kylin 5.0.3 remediates CVE-2025-61735. The vendor advisory is available on the Apache Security Mailing List Thread. Operators should plan an upgrade window and validate the upgrade in a staging environment before deploying to production clusters.
Workarounds
- Tightly control system and project admin access in Kylin; the vendor confirms that protected admin access mitigates exposure
- Place Kylin behind a network egress proxy that enforces an allowlist of permitted outbound destinations
- Block the Kylin host from reaching 169.254.169.254 and other cloud metadata endpoints at the host firewall or VPC level
# Example iptables rules to block cloud metadata and loopback abuse from the Kylin host
iptables -A OUTPUT -d 169.254.169.254 -j DROP
iptables -A OUTPUT -d 127.0.0.0/8 ! -o lo -j DROP
iptables -A OUTPUT -d 10.0.0.0/8 -p tcp --dport 6443 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
