The Apache Software Foundation has published a new advisory disclosing three in Apache Kylin, a high-concurrency OLAP engine widely used for big data analytics. The , tracked as CVE-2025-61733, CVE-2025-61734, and CVE-2025-61735, affect versions 4.0.0 through 5.0.2 and have now been patched in version 5.0.3.
CVE-2025-61733: Authentication Bypass
The most critical issue, CVE-2025-61733, is rated High severity. According to the advisory, it is an “Authentication Bypass Using an Alternate Path or Channel in Apache Kylin.”
This could allow attackers to bypass authentication mechanisms entirely, potentially granting unauthorized access to sensitive data or administrative functions within Kylin environments. Given the platform’s role in large-scale analytics, exploitation of this poses a significant risk to enterprises relying on Kylin for business intelligence.
CVE-2025-61734: Improper Restriction of File Read
The second , CVE-2025-61734, is classified as Low severity but still poses risks in poorly secured environments. The advisory explains: “Files or Directories Accessible to External Parties vulnerability in Apache Kylin. You are fine as long as the Kylin’s system and project admin access is well protected.”
If exploited, attackers with sufficient access could retrieve sensitive files from the system, leading to data leakage or reconnaissance for further attacks.
CVE-2025-61735: Server-Side Request Forgery (SSRF)
The third flaw, CVE-2025-61735, is another Low severity issue involving Server-Side Request Forgery (SSRF). The advisory notes: “Server-Side Request Forgery (SSRF) vulnerability in Apache Kylin.”
SSRF vulnerabilities allow attackers to trick a vulnerable server into making requests to internal services or external systems, potentially exposing sensitive metadata or enabling lateral movement.
Mitigation and Upgrade Guidance
All three vulnerabilities affect Apache Kylin versions 4.0.0 through 5.0.2. Users are strongly advised to upgrade to version 5.0.3, which includes fixes for the issues.
- Apache Kylin Command Injection Vulnerability
- Command injection in Apache Kylin
- Apache HTTP Server Hit by Triple Vulnerabilities – Users Urged to Update
- Microsoft Patches Four Critical Azure and Power Apps Vulnerabilities, Including CVSS 10 Privilege Escalation
- Apache HTTP Server 2.4.64 Released: Patches 8 Vulnerabilities, Including HTTP Splitting, SSRF & DoS
