CVE-2025-24404

EPSS 0.06%
Published 09.09.2025 09:30:59
Last modified 10.09.2025 15:53:00
Source security@apache.org
Teams watchlist Login
Open Login

XML Injection RCE by parse http sitemap xml response vulnerability in Apache HertzBeat.












The attacker needs to have an authenticated account with access, and add monitor parsed by xml, returned special content can trigger the XML parsing vulnerability.

This issue affects Apache HertzBeat (incubating): before 1.7.0.

Users are recommended to upgrade to version 1.7.0, which fixes the issue.

Affected products Warnungen 0 Metrics 3 CWE 1 References 4

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

This information is available to logged-in users.

Data is provided by the National Vulnerability Database (NVD)

Apache ≫ Hertzbeat Version < 1.7.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.06%	0.188

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
134c704f-9b21-4f2e-91b3-4a467353bcc0	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-91 XML Injection (aka Blind XPath Injection)

The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system.

https://lists.apache.org/thread/4ydy3tqbpwmhl79mcj3pxwqz62nggrfd

Vendor Advisory

Mailing List

https://nvd.nist.gov/vuln/detail/CVE-2025-24404

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-24404

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-24404

EUVD