Apache SeaTunnel, the widely used distributed data integration platform, has disclosed a significant security vulnerability that enables unauthorized users to execute arbitrary file read operations and deserialization attacks through its RESTful API interface. 

The vulnerability, tracked as CVE-2025-32896 and reported on April 12, 2025, affects multiple versions of the platform and has been classified with moderate severity.

Apache SeaTunnel RCE Vulnerability

The security flaw impacts Apache SeaTunnel versions 2.3.1 through 2.3.10, creating a substantial exposure window for organizations utilizing these versions in production environments. 

The vulnerability stems from insufficient access controls in the platform’s RESTful API-v1 implementation, specifically targeting the /hazelcast/rest/maps/submit-job endpoint. 

This endpoint, designed for job submission functionality, lacks proper authentication mechanisms, allowing malicious actors to exploit the system without valid credentials.

Security researcher Owen Amadeus discovered and reported this vulnerability, highlighting how unauthorized users can bypass security controls to access sensitive system resources. 

The technical nature of this flaw involves the manipulation of MySQL connection parameters, where attackers can inject malicious payloads through URL parameters to achieve their objectives. 

This attack vector is particularly concerning because it combines two critical security risks: arbitrary file access and deserialization vulnerabilities, which can lead to remote code execution scenarios.

The exploitation mechanism centers around the manipulation of database connection strings within the SeaTunnel job submission process. 

Attackers can craft specially designed MySQL URLs containing additional parameters that trigger both arbitrary file read operations and Java deserialization attacks. The vulnerable endpoint /hazelcast/rest/maps/submit-job processes these malicious requests without proper validation or authentication checks.

The deserialization component of this attack is particularly dangerous, as it can allow attackers to execute arbitrary code on the target system.

By submitting crafted serialized objects through the job submission interface, malicious actors can potentially gain complete control over the affected SeaTunnel instance. 

This type of vulnerability exploits Java’s object serialization mechanism, where untrusted data can be deserialized into executable code, bypassing traditional security boundaries.

Risk FactorsDetailsAffected ProductsApache SeaTunnel versions 2.3.1 through 2.3.10ImpactRemote Code Execution (RCE)Exploit Prerequisites– Network access to SeaTunnel instance- API-v1 enabled (default)- Absence of HTTPS two-way authenticationCVSS 3.1 Score8.2 (High)

Remediation Steps

The Apache SeaTunnel development team has addressed this vulnerability in version 2.3.11, implementing comprehensive security improvements to prevent unauthorized access. 

Organizations running affected versions should immediately upgrade to the latest release to mitigate potential security risks. The fix includes enhanced authentication mechanisms and input validation procedures.

Beyond version upgrades, administrators are strongly advised to implement additional security measures. 

The Apache team recommends enabling RESTful API-v2 functionality, which includes improved security controls and authentication frameworks. 

Furthermore, implementing HTTPS two-way authentication provides an additional security layer by ensuring mutual certificate validation between clients and servers.

Are you from SOC/DFIR Teams! – Interact with malware in the sandbox and find related IOCs. – Request 14-day free trial