Data Management and Analytics

In Kafka-UI versions 0.6.0 through 0.7.2 a high severity vulnerability CVE-2025-60536 was detected. This vulnerability in the Configure New Cluster interface allows attackers to cause a denial of service (DoS) by uploading a crafted configuration file. To fix this vulnerability, users should upgrade to a version later than 0.7.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-60536.

In Redis versions 8.2.0 through 8.2.2 a high severity vulnerability CVE-2025-62507 was detected. This vulnerability allows remote attackers to trigger a stack buffer overflow during execution of the XACKDEL command, which may potentially lead to remote code execution. To fix this vulnerability, users should upgrade to Redis version 8.2.3 or later. For more details, visit https://avd.aquasec.com/nvd/2025/cve-2025-62507.

In Apache Airflow versions from 3.0.0 up to but not including 3.0.5 a medium severity vulnerability CVE-2025-54941 was detected. This vulnerability allows a UI user to redirect the example DAG via the example_dag_decorator parameter to a malicious server and execute code on a worker, when example DAGs are enabled in production or similar DAG code is copied. To fix this vulnerability, users should upgrade to Airflow version 3.0.5 or later. For more details, visit https://avd.aquasec.com/nvd/2025/cve-2025-54941.

In Apache Airflow versions 3.0.0 through 3.1.0 inclusive a medium severity vulnerability CVE-2025-62402 was detected. This vulnerability allows API users via the /api/v2/dagReports endpoint to execute DAG Python code in the context of the API server if the API-server is deployed in an environment where DAG files are accessible. To fix this vulnerability, users should upgrade to Apache Airflow version 3.1.1 or later. For more details, visit https://avd.aquasec.com/nvd/2025/cve-2025-62402.

In Apache Airflow versions 3.0.0 up to and including 3.1.0 a medium severity vulnerability CVE-2025-62503 was detected. This vulnerability allows a user with only CREATE privileges (and no UPDATE privileges) for Pools, Connections, or Variables to update existing records via the bulk create API when the overwrite action is used. To fix this vulnerability, users should upgrade to version 3.1.1 or later. For more details, visit https://avd.aquasec.com/nvd/2025/cve-2025-62503.

In Kibana versions 7.0.0 through 7.17.29, 8.0.0 through 8.18.7, 8.19.0 through 8.19.3, 9.0.0 through 9.0.6, and 9.1.0 through 9.1.3, a high severity vulnerability CVE-2025-25017 was detected. This vulnerability allows remote attackers to inject arbitrary web script or HTML via improperly neutralized input during web page generation in Vega visualizations. Users should update Kibana to versions 8.18.8, 8.19.4, 9.0.7, or 9.1.4. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-25017.

In Apache Spark versions before 3.4.4, 3.5.2, and 4.0.0 a medium severity vulnerability CVE-2025-55039 was detected. When spark.network.crypto.enabled is true but spark.network.crypto.cipher is not explicitly configured, Spark defaults to AES in CTR mode (AES/CTR/NoPadding), which provides encryption without authentication. This allows a man-in-the-middle attacker to modify encrypted RPC traffic undetected, potentially compromising heartbeat messages or application data and affecting the integrity of Spark workflows. To address this issue, users should upgrade Apache Spark to 3.4.4, 3.5.2, or 4.0.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-55039.

In Kibana versions prior to 8.18.8, 8.19.5, 9.0.8, and 9.1.5 a high severity vulnerability CVE-2025-25018 was detected. Improper neutralization of input during web page generation allows an attacker to inject and store malicious scripts, leading to stored Cross-Site Scripting. To address this issue, users should upgrade Kibana to versions 8.18.8, 8.19.5, 9.0.8, or 9.1.5. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-25018.

In Elasticsearch versions prior to all versions from 7.0.0 up to and including 7.17.29, from 8.0.0 up to and including 8.18.7, from 8.19.0 up to and including 8.19.4, from 9.0.0 up to and including 9.0.7, and from 9.1.0 up to and including 9.1.4 a medium severity vulnerability CVE-2025-37727 was detected. This vulnerability allows sensitive information to be inserted into log files when auditing requests to the reindex API, potentially leading to a loss of confidentiality under specific conditions. To address this issue, users should update Elasticsearch to versions 8.18.8, 8.19.5, 9.0.8 or 9.1.5. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-37727.