CVE-2025-64152 Overview
CVE-2025-64152 is a path traversal vulnerability in Apache IoTDB, an open-source time-series database designed for Internet of Things (IoT) workloads. The flaw stems from improper limitation of a pathname to a restricted directory [CWE-22]. Attackers can exploit the issue over the network without authentication or user interaction. The vulnerability affects Apache IoTDB versions 1.0.0 through 1.3.5 and 2.0.0 through 2.0.6. The Apache Software Foundation has released patched versions 1.3.6 and 2.0.7 to address the issue.
Critical Impact
Unauthenticated network attackers can traverse directories to read and modify files outside the intended IoTDB storage paths, compromising confidentiality and integrity of the database host.
Affected Products
- Apache IoTDB versions 1.0.0 through 1.3.5
- Apache IoTDB versions 2.0.0 through 2.0.6
- Fixed in Apache IoTDB 1.3.6 and 2.0.7
Discovery Timeline
- 2026-06-26 - CVE-2025-64152 published to NVD
- 2026-06-26 - Last updated in NVD database
Technical Details for CVE-2025-64152
Vulnerability Analysis
Apache IoTDB fails to properly validate pathnames supplied to certain file-handling operations. The database accepts input that references file locations but does not sufficiently restrict traversal sequences such as ../ before resolving those paths. As a result, requests can reference files outside the intended storage directory. The scope covers both major release lines, meaning long-lived 1.x deployments and modern 2.x deployments require patching.
Root Cause
The root cause is classified under [CWE-22], Improper Limitation of a Pathname to a Restricted Directory. IoTDB constructs file paths from attacker-influenced input and passes them to filesystem operations without canonicalizing the result or enforcing a strict allowlist of directories. This allows relative path segments to escape the intended base directory.
Attack Vector
The vulnerability is exploitable over the network with low attack complexity. Attackers do not need credentials or user interaction. A remote adversary crafts a request containing traversal sequences to reach files outside the IoTDB working directories. Successful exploitation results in unauthorized file read or file write on the host running IoTDB, impacting confidentiality and integrity.
No verified public proof-of-concept code is available at publication. Refer to the Apache Mailing List Thread and the Openwall OSS-Security Discussion for vendor-provided technical details.
Detection Methods for CVE-2025-64152
Indicators of Compromise
- Requests to IoTDB endpoints containing directory traversal sequences such as ../, ..\, or URL-encoded variants like %2e%2e%2f.
- Unexpected file reads or writes originating from the IoTDB service account outside of configured data directories.
- New or modified files in system directories with timestamps aligned to inbound IoTDB traffic.
Detection Strategies
- Inspect IoTDB access logs for requests referencing filesystem paths, especially those containing parent directory operators.
- Deploy web application firewall or reverse proxy rules that flag traversal patterns targeting IoTDB service ports.
- Correlate process-level file access telemetry from the IoTDB JVM against the configured data and WAL directories.
Monitoring Recommendations
- Enable verbose audit logging on IoTDB and forward logs to a centralized analytics platform for pattern analysis.
- Alert on IoTDB process file operations targeting sensitive system paths such as /etc/, user home directories, or JVM configuration files.
- Baseline network connections to IoTDB ports and investigate spikes in request volume or new source addresses.
How to Mitigate CVE-2025-64152
Immediate Actions Required
- Upgrade Apache IoTDB 1.x deployments to version 1.3.6 and 2.x deployments to version 2.0.7.
- Restrict network access to IoTDB service ports to trusted management networks only.
- Audit the IoTDB host filesystem for unauthorized file modifications following patch application.
Patch Information
The Apache IoTDB project has released fixed versions 1.3.6 and 2.0.7. Administrators should upgrade immediately following the guidance in the Apache Mailing List Thread. No official workaround has been published by the vendor; upgrading is the recommended path.
Workarounds
- Place IoTDB behind a reverse proxy configured to reject requests containing path traversal sequences.
- Run the IoTDB service under a dedicated low-privilege operating system account with mandatory access controls limiting reachable directories.
- Apply network segmentation and firewall rules to prevent untrusted clients from reaching IoTDB endpoints until patching is complete.
# Verify installed Apache IoTDB version
./sbin/start-cli.sh -e "show version"
# Example firewall rule restricting IoTDB port 6667 to a management subnet
iptables -A INPUT -p tcp --dport 6667 -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 6667 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

