CVE-2021-25646

High PUBLISHED

Authenticated users can override system configurations in their requests which allows them to execute arbitrary code.

Apache Software Foundation · Apache Druid

Not yet in CISA KEV

Exploited in the wild PoC available

Recommended Action

Prioritize remediation. Validate affected assets and apply vendor fixes on an accelerated timeline.

Confidence
High
Exploitation Status
Exploited in the wild
Observed in Sensors
No
Attempts (30d)
Unique Attacker IPs
CISA KEV
Not yet in CISA KEV
CVSS / EPSS
8.8 High

At a Glance

Apache Druid includes the ability to execute user-provided JavaScript code embedded in various types of requests. This functionality is intended for use in high-trust environments, and is disabled by default. However, in Druid 0.20.0 and earlier, it is possible for an authenticated user to send a specially-crafted request that forces Druid to run user-provided JavaScript code for that request, regardless of server configuration. This can be leveraged to execute code on the target machine with the privileges of the Druid server process.

metasploit nuclei_scanner java apache
CVE Published
Jan 29, 2021
Exploitation Reported
Apr 27, 2025
CVSS
8.8 High
EPSS
Remote Low complexity No user interaction

Affected Versions

Vendor Product Version Status
Apache Software Foundation
Apache Druid

0.20.0 and earlier to <= 0.20.0

Affected

CVE References

Show 11 more references

Recommended Actions

  • Prioritize remediation. Validate affected assets and apply vendor fixes on an accelerated timeline.
  • Check enrichment artifacts for scanner coverage and available PoCs before rolling remediation validation.
  • Use the Pro API to automate enrichment, telemetry, and workflow delivery for VM, SOC, and CTI pipelines.