Back to KEVs

CVE-2021-25646

Authenticated users can override system configurations in their requests which allows them to execute arbitrary code.

Basic Information

CVE State
PUBLISHED
Reserved Date
January 21, 2021
Published Date
January 29, 2021
Last Updated
February 13, 2025
Vendor
Apache Software Foundation
Product
Apache Druid
Description
Apache Druid includes the ability to execute user-provided JavaScript code embedded in various types of requests. This functionality is intended for use in high-trust environments, and is disabled by default. However, in Druid 0.20.0 and earlier, it is possible for an authenticated user to send a specially-crafted request that forces Druid to run user-provided JavaScript code for that request, regardless of server configuration. This can be leveraged to execute code on the target machine with the privileges of the Druid server process.
Tags
apache nuclei_scanner metasploit_scanner

CVSS Scores

CVSS v3.1

8.8 - HIGH

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v2.0

9.0

Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C

EPSS Score

Score
94.32% (Percentile: 99.94%) as of 2025-05-26

Exploit Status

Exploited in the Wild
Yes (2025-05-10 00:00:00 UTC) Source

References

https://lists.apache.org/thread.html/rfda8a3aa6ac06a80c5cbfdeae0fc85f88a5984e32ea05e6dda46f866%40%3Cdev.druid.apache.org%3E http://www.openwall.com/lists/oss-security/2021/01/29/6 https://lists.apache.org/thread.html/r64431c2b97209f566b5dff92415e7afba0ed3bfab4695ebaa8a62e5d%40%3Cdev.druid.apache.org%3E https://lists.apache.org/thread.html/rc167d5e57f3120578718a7a458ce3e73b3830ac4efbb1b085bd06b92%40%3Cdev.druid.apache.org%3E https://lists.apache.org/thread.html/r20e0c3b10ae2c05a3aad40f1476713c45bdefc32c920b9986b941d8f%40%3Cannounce.apache.org%3E https://lists.apache.org/thread.html/r4f84b542417ea46202867c0a8b3eaf3b4cfed30e09174a52122ba210%40%3Ccommits.druid.apache.org%3E https://lists.apache.org/thread.html/rea9436a4063927a567d698431ddae55e760c3f876c22ac5b9813685f%40%3Ccommits.druid.apache.org%3E https://lists.apache.org/thread.html/r121abe8014d381943b63c60615149d40bde9dc1c868bcee90d0d0848%40%3Ccommits.druid.apache.org%3E https://lists.apache.org/thread.html/rfeb775822cd3baef1595b60f6860f5ca849eb1903236483f3297bd5c%40%3Ccommits.druid.apache.org%3E https://lists.apache.org/thread.html/r04fa1ba93599487c95a8497044d37f8c02a439bfcf92b4567bfb7c8f%40%3Ccommits.druid.apache.org%3E https://lists.apache.org/thread.html/r87aa94e28dd21ee2252d30c63f01ab9cb5474ee5bdd98dd8d7d734aa%40%3Ccommits.druid.apache.org%3E https://lists.apache.org/thread.html/r7dff4790e7a5c697fc0360adf11f5aeb31cd6ad80644fffee690673c%40%3Ccommits.druid.apache.org%3E https://lists.apache.org/thread.html/ra4225912f501016bc5e0ac44e14b8d6779173a3a1dc7baacaabcc9ba%40%3Ccommits.druid.apache.org%3E https://lists.apache.org/thread.html/r5ef625076982aee7d23c23f07717e626b73f421fba5154d1e4de15e1%40%3Ccommits.druid.apache.org%3E https://lists.apache.org/thread.html/r443e2916c612fbd119839c0fc0729327d6031913a75081adac5b43ad%40%3Cdev.druid.apache.org%3E http://packetstormsecurity.com/files/162345/Apache-Druid-0.20.0-Remote-Command-Execution.html

Known Exploited Vulnerability Information

Source Added Date
The Shadowserver (via CIRCL) 2025-04-28 00:00:00 UTC

Scanner Integrations

Scanner URL Date Detected
Metasploit https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/apache_druid_js_rce.rb 2025-04-29 11:01:11 UTC
Nuclei https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-25646.yaml 2025-04-26 00:00:00 UTC

Potential Proof of Concepts

Warning: These PoCs have not been tested and could contain malware. Use at your own risk.

apache_druid_js_rce

Type: metasploit • Created: Unknown

Metasploit module for CVE-2021-25646

k7pro/CVE-2021-25646-exp

Type: github • Created: 2024-10-04 15:06:37 UTC • Stars: 4

CVE-2021-25646 Apache Druid 远程代码执行 漏洞检测和利用工具

j2ekim/CVE-2021-25646

Type: github • Created: 2021-12-12 14:40:12 UTC • Stars: 4

Apache Druid remote code execution vulnerability - Apache Druid 远程代码执行漏洞利用 CVE-2021-25646

givemefivw/CVE-2021-25646

Type: github • Created: 2021-04-14 15:36:04 UTC • Stars: 3

CVE-2021-25646 Apache Druid 远程代码执行漏洞 Wker脚本

Vulnmachines/Apache-Druid-CVE-2021-25646

Type: github • Created: 2021-02-13 11:48:35 UTC • Stars: 3

lp008/CVE-2021-25646

Type: github • Created: 2021-02-03 06:45:54 UTC • Stars: 2

Timeline

  • CVE ID Reserved

  • CVE Published to Public

  • Detected by Nuclei

  • Added to KEVIntel

  • Detected by Metasploit