Vulnerability DatabaseCVE-2025-62728
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2025-62728
November 26, 2025
SQL injection vulnerability in Hive Metastore Server (HMS) when processing delete column statistics requests via the Thrift APIs. The vulnerability is only exploitable by trusted/authorized users/applications that are allowed to call directly the Thrift APIs. In most real-world deployments, HMS is accessible to only a handful of applications (e.g., Hiveserver2) thus the vulnerability is not exploitable. Moreover, the vulnerable code cannot be reached when metastore.try.direct.sql property is set to false. This issue affects Apache Hive: from 4.1.0 before 4.2.0. Users are recommended to upgrade to version 4.2.0, which fixes the issue. Users who cannot upgrade directly are encouraged to set metastore.try.direct.sql property to false if the HMS Thrift APIs are exposed to general public.
Affected Packages
https://github.com/apache/hive.git (GITHUB):
Affected version(s) =rel/release-4.1.0 <rel/release-4.2.0
Fix Suggestion:
Update to version rel/release-4.2.0
org.apache.hive:hive-metastore (JAVA):
Affected version(s) =4.1.0 <4.2.0
Fix Suggestion:
Update to version 4.2.0
org.apache.hive:hive-common (JAVA):
Affected version(s) =4.1.0 <4.2.0
Fix Suggestion:
Update to version 4.2.0
org.apache.hive:hive-standalone-metastore-server (JAVA):
Affected version(s) =4.1.0 <4.2.0
Fix Suggestion:
Update to version 4.2.0
Related Resources (6)
https://github.com/apache/hive/commit/c18d0df2702130cf5d0f050e516eb8999aa56301
https://github.com/apache/hive
https://issues.apache.org/jira/browse/HIVE-29269
https://lists.apache.org/thread/yj65dd8dmzgy8p3nv8zy33v8knzg9o7g
http://www.openwall.com/lists/oss-security/2025/11/26/3
https://nvd.nist.gov/vuln/detail/CVE-2025-62728
Do you need more information?
Contact Us
CVSS v4
Base Score:
8.5
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
HIGH
User Interaction
NONE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
HIGH
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
6.5
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
NONE
Weakness Type (CWE)
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CWE-89
EPSS
Base Score:
0.10