CVE-2025-27446

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-27446
Incorrect Permission Assignment for Critical Resource vulnerability in Apache APISIX(java-plugin-runner). Local listening file permissions in APISIX plugin runner allow a local attacker to elevate privileges. This issue affects Apache APISIX(java-plugin-runner): from 0.2.0 through 0.5.0. Users are recommended to upgrade to version 0.6.0 or higher, which fixes the issue.

7.8 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://lists.apache.org/thread/qwxnxolt0j5nvjfpr0mlz6h7nrtvyzng Mailing List Vendor Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:apisix:*:*:*:*:*:*:*:*
History

14 Jul 2025, 18:10

Type Values Removed Values Added
CPE cpe:2.3:a:apache:apisix:*:*:*:*:*:*:*:*
References () https://lists.apache.org/thread/qwxnxolt0j5nvjfpr0mlz6h7nrtvyzng - () https://lists.apache.org/thread/qwxnxolt0j5nvjfpr0mlz6h7nrtvyzng - Mailing List, Vendor Advisory
First Time Apache
Apache apisix

08 Jul 2025, 18:15

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 7.8

08 Jul 2025, 16:18

Type Values Removed Values Added
Summary
  • (es) Vulnerabilidad de asignación incorrecta de permisos para recursos críticos en Apache APISIX(java-plugin-runner). Los permisos de los archivos de escucha locales en el ejecutor de complementos de APISIX permiten a un atacante local elevar privilegios. Este problema afecta a Apache APISIX(java-plugin-runner): de la 0.2.0 a la 0.5.0. Se recomienda actualizar a la versión 0.6.0 o superior, que soluciona el problema.

06 Jul 2025, 06:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-07-06 06:15

Updated : 2025-07-14 18:10

NVD link : CVE-2025-27446

Mitre link : CVE-2025-27446

CVE.ORG link : CVE-2025-27446

JSON object : View

Products Affected

apache

  • apisix
CWE
CWE-732

Incorrect Permission Assignment for Critical Resource