## CVE-2025-32896: Apache SeaTunnel - Unauthenticated Insecure Access ### Severity: Moderate ### Affected Versions: - Apache SeaTunnel 2.3.1 through 2.3.10 ### Description: #### Summary Unauthorized users can perform Arbitrary File Read and Deserialization attacks by submitting a job via the restful api-v1. #### Details Unauthorized users can access `/hazelcast/rest/maps/submit-job` to submit a job. An attacker can inject extra parameters into the MySQL URL to trigger Arbitrary File Read and Deserialization attacks. ### Fixed This issue affects Apache SeaTunnel versions up to and including 2.3.10. #### Recommendations Users are advised to upgrade to version 2.3.11 and enable restful api-v2 along with HTTPS two-way authentication, which resolves the vulnerability. ### Credit: Owen Amadeus (reporter) ### References: - https://seatunnel.apache.org - https://www.cve.org/CVERecord?id=CVE-2025-32896