CVE-2025-24404

EPSS 0.08%
Veröffentlicht 09.09.2025 09:30:59
Zuletzt bearbeitet 04.11.2025 22:16:07
Quelle security@apache.org
CVE-Watchlists
Login
Unerledigt
Login

Apache HertzBeat (incubating): RCE by parse http sitemap xml response

XML Injection RCE by parse http sitemap xml response vulnerability in Apache HertzBeat.












The attacker needs to have an authenticated account with access, and add monitor parsed by xml, returned special content can trigger the XML parsing vulnerability.

This issue affects Apache HertzBeat (incubating): before 1.7.0.

Users are recommended to upgrade to version 1.7.0, which fixes the issue.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

NVD 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Apache ≫ Hertzbeat Version < 1.7.0

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.08%	0.237

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
134c704f-9b21-4f2e-91b3-4a467353bcc0	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-91 XML Injection (aka Blind XPath Injection)

The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system.

https://lists.apache.org/thread/4ydy3tqbpwmhl79mcj3pxwqz62nggrfd

Vendor Advisory

Mailing List

http://www.openwall.com/lists/oss-security/2025/09/06/4

https://nvd.nist.gov/vuln/detail/CVE-2025-24404

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-24404

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-24404

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-24404