CVE-2025-24404

EPSS 0.06%
Veröffentlicht 09.09.2025 09:30:59
Zuletzt bearbeitet 10.09.2025 15:53:00
Quelle security@apache.org
Teams Watchlist Login
Unerledigt Login

XML Injection RCE by parse http sitemap xml response vulnerability in Apache HertzBeat.












The attacker needs to have an authenticated account with access, and add monitor parsed by xml, returned special content can trigger the XML parsing vulnerability.

This issue affects Apache HertzBeat (incubating): before 1.7.0.

Users are recommended to upgrade to version 1.7.0, which fixes the issue.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 4

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Apache ≫ Hertzbeat Version < 1.7.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.06%	0.188

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
134c704f-9b21-4f2e-91b3-4a467353bcc0	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-91 XML Injection (aka Blind XPath Injection)

The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system.

https://lists.apache.org/thread/4ydy3tqbpwmhl79mcj3pxwqz62nggrfd

Vendor Advisory

Mailing List

https://nvd.nist.gov/vuln/detail/CVE-2025-24404

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-24404

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-24404

EUVD