Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2025-66524

Good to know:

icon
icon

Date: December 19, 2025

Apache NiFi 1.20.0 through 2.6.0 include the GetAsanaObject Processor, which requires integration with a configurable Distribute Map Cache Client Service for storing and retrieving state information. The GetAsanaObject Processor used generic Java Object serialization and deserialization without filtering. Unfiltered Java object deserialization does not provide protection against crafted state information stored in the cache server configured for GetAsanaObject. Exploitation requires an Apache NiFi system running with the GetAsanaObject Processor, and direct access to the configured cache server. Upgrading to Apache NiFi 2.7.0 is the recommended mitigation, which replaces Java Object serialization with JSON serialization. Removing the GetAsanaObject Processor located in the nifi-asana-processors-nar bundle also prevents exploitation.

Severity Score

Related Resources (5)

https://nvd.nist.gov/vuln/detail/CVE-2025-66524
http://www.openwall.com/lists/oss-security/2025/12/18/2
https://lists.apache.org/thread/k9h004ydjg7opdvxr0nfywtzf33z60d7
https://seclists.org/oss-sec/2025/q4/286
https://www.mend.io/vulnerability-database/CVE-2025-66524

Severity Score

Weakness Type (CWE)

Deserialization of Untrusted Data

CWE-502

Top Fix

icon

Upgrade Version

Upgrade to version org.apache.nifi:nifi-asana-processors:2.7.0;https://github.com/apache/nifi.git - rel/nifi-2.7.0

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): HIGH
Integrity (I): HIGH
Availability (A): HIGH

Do you need more information?

Contact Us