## CVE-2025-32896: Apache SeaTunnel - Unauthenticated Insecure Access ### Severity: Moderate ### Affected Versions: - Apache SeaTunnel 2.3.1 through 2.3.10 ### Description: #### Summary Unauthorized users can perform Arbitrary File Read and Deserialization attack by submitting a job using the restful api-v1. #### Details Unauthorized users can access `/hazelcast/rest/maps/submit-job` to submit a job. An attacker can set extra parameters in the MySQL URL to perform an Arbitrary File Read and Deserialization attack. ### Fixed This issue affects Apache SeaTunnel <= 2.3.10. #### Recommendations Users are recommended to upgrade to version 2.3.11 and enable restful api-v2 & open HTTPS two-way authentication, which fixes the issue. ### Credit: Owen Amadeus (reporter) ### References: - https://seatunnel.apache.org - https://www.cve.org/CVERecord?id=CVE-2025-32896