A newly disclosed vulnerability, CVE-2025-32896, in Apache SeaTunnelβa widely used distributed data integration platformβcould allow unauthenticated attackers to read arbitrary files and execute deserialization-based attacks.
SeaTunnel is a next-generation, high-performance data integration engine used for synchronizing massive data volumes across diverse environments. Its trust and adoption by large-scale organizations make this flaw particularly dangerous.
The vulnerability stems from unauthenticated access to a legacy REST API endpoint:
/hazelcast/rest/maps/submit-job
An attacker can exploit this by submitting a job to SeaTunnel using restful api-v1, injecting malicious parameters into a MySQL connection URL. This can lead to:
Arbitrary File Read from the serverβs filesystemRemote code execution through unsafe Java object deserializationβUnauthorized users can perform Arbitrary File Read and Deserialization attack by submit job using restful api-v1,β the Openwall disclosures.
Because this endpoint does not enforce authentication, it provides a wide-open vector for attackers to execute malicious payloads and gain access to sensitive backend resources.
The issue has been patched in Apache SeaTunnel version 2.3.11. Users are advised to:
Upgrade to 2.3.11 or laterEnable RESTful API v2 instead of v1Activate HTTPS two-way authentication for all SeaTunnel nodesThe fix was implemented via pull request #9010, which updates access control logic and secures the API endpoints.