Security Vulnerability in Apache InLong Apache InLong is an open-source data integration framework that provides massive conversion of data and data exchange services. An attacker can inject code to control the behavior of the program.
The vulnerability, CVE-2025-27528, would allow attackers to read arbitrary files from InLong systems that have vulnerable versions of the software installed, allowing them to potentially leak sensitive data and gain unauthorized access. Security researchers are advising consumers to protect themselves against the threat now.
The weakness is due to the mismanagement of specific objects in the JDBC URL. Through the combination of tags on the connection string, an attacker could evade security measures and be able to read from files it was not supposed to. This might help them gain access to configuration files, logs, or worse, whatever sensitive data is hosted on the server.
The Snyk database classifies this vulnerability as critical, while the CVSS assigned score is 9.3. The attack can be carried out remotely, without any special conditions or permissions and without any user interaction, which makes it particularly dangerous.
An attacker that successfully exploited this vulnerability could cause a range of downstream impacts with high confidence, including exposure of sensitive information and data tampering.
All versions of Apache InLong prior to 1.3.0 are affected by this vulnerability. Users are strongly encouraged to upgrade to 1.3.0 or later as soon as possible. This update provides the code fixes to prevent character special characters to be improperly processed in the JDBC driver that could be exploited.
As well as applying patches, Avast said, users should also check their InLong setup to make sure access to the InLong server is properly restricted and audited. Network segregation or minimizing the attack surface can also help reduce the likelihood of exploitation.
An advisory describing this issue and the required action is available from the Apache Software Foundation. Please refer to this advisory for complete information and remediations to secure your InLong deployments.
What this vulnerability reinforces is the need to keep all software components up to date and follow best practices when it comes to applying security patches. For those enterprises that actually use Apache InLong for your data integration pipeline, now is your chance to ensure your valuable data assets are not held to ransom by some nefarious cybercriminal.
