CVE-2021-25646

Authenticated users can override system configurations in their requests which allows them to execute arbitrary code.

Basic Information

CVE State: PUBLISHED
Reserved Date: January 21, 2021
Published Date: January 29, 2021
Last Updated: February 13, 2025
Vendor: Apache Software Foundation
Product: Apache Druid
Description: Apache Druid includes the ability to execute user-provided JavaScript code embedded in various types of requests. This functionality is intended for use in high-trust environments, and is disabled by default. However, in Druid 0.20.0 and earlier, it is possible for an authenticated user to send a specially-crafted request that forces Druid to run user-provided JavaScript code for that request, regardless of server configuration. This can be leveraged to execute code on the target machine with the privileges of the Druid server process.

Source	Added Date
The Shadowserver (via CIRCL)	2025-04-28 00:00:00 UTC

Scanner	URL	Date Detected
Metasploit	https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/apache_druid_js_rce.rb	2025-04-29 11:01:11 UTC
Nuclei	https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-25646.yaml	2025-04-26 00:00:00 UTC

Warning: These PoCs have not been tested and could contain malware. Use at your own risk.

Type: metasploit • Created: Unknown

Metasploit module for CVE-2021-25646

Type: github • Created: 2024-10-04 15:06:37 UTC • Stars: 4

CVE-2021-25646 Apache Druid 远程代码执行漏洞检测和利用工具

Type: github • Created: 2021-12-12 14:40:12 UTC • Stars: 4

Apache Druid remote code execution vulnerability - Apache Druid 远程代码执行漏洞利用 CVE-2021-25646

Type: github • Created: 2021-04-14 15:36:04 UTC • Stars: 3

CVE-2021-25646 Apache Druid 远程代码执行漏洞 Wker脚本

Type: github • Created: 2021-02-13 11:48:35 UTC • Stars: 3

Type: github • Created: 2021-02-03 06:45:54 UTC • Stars: 2