CVE-2025-48977: CWE-23 Relative Path Traversal in Apache Software Foundation Apache Ignite
Relative Path Traversal vulnerability in Apache Ignite REST API. Authenticated REST API users can read any file on the server with "cmd=log" command and a log path crafted in a certain way. This issue affects Apache Ignite: from 2.0.0 through 2.17.0. Users are recommended to upgrade to version 2.18.0, which fixes the issue.
AI Analysis
Technical Summary
This vulnerability (CVE-2025-48977) in Apache Ignite allows authenticated REST API users to perform a relative path traversal via the "cmd=log" command by crafting the log path parameter. This enables unauthorized reading of any file on the server. The flaw affects Apache Ignite versions from 2.0.0 up to 2.17.0. The Apache Software Foundation has addressed this issue in version 2.18.0.
Potential Impact
Exploitation of this vulnerability allows authenticated REST API users to read arbitrary files on the server, potentially exposing sensitive information. The CVSS 4.0 score of 8.5 indicates a high impact due to network attack vector, low attack complexity, and no user interaction required. There are no known exploits in the wild at this time.
Mitigation Recommendations
Users should upgrade Apache Ignite to version 2.18.0 or later, where this vulnerability is fixed. Since this is an official fix provided by the vendor, applying the upgrade is the recommended remediation. Patch status is confirmed by the vendor advisory recommending the upgrade.
CVE-2025-48977: CWE-23 Relative Path Traversal in Apache Software Foundation Apache Ignite
Description
Relative Path Traversal vulnerability in Apache Ignite REST API. Authenticated REST API users can read any file on the server with "cmd=log" command and a log path crafted in a certain way. This issue affects Apache Ignite: from 2.0.0 through 2.17.0. Users are recommended to upgrade to version 2.18.0, which fixes the issue.
CVSS v4.0
Score 8.5high
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability (CVE-2025-48977) in Apache Ignite allows authenticated REST API users to perform a relative path traversal via the "cmd=log" command by crafting the log path parameter. This enables unauthorized reading of any file on the server. The flaw affects Apache Ignite versions from 2.0.0 up to 2.17.0. The Apache Software Foundation has addressed this issue in version 2.18.0.
Potential Impact
Exploitation of this vulnerability allows authenticated REST API users to read arbitrary files on the server, potentially exposing sensitive information. The CVSS 4.0 score of 8.5 indicates a high impact due to network attack vector, low attack complexity, and no user interaction required. There are no known exploits in the wild at this time.
Mitigation Recommendations
Users should upgrade Apache Ignite to version 2.18.0 or later, where this vulnerability is fixed. Since this is an official fix provided by the vendor, applying the upgrade is the recommended remediation. Patch status is confirmed by the vendor advisory recommending the upgrade.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- apache
- Date Reserved
- 2025-05-29T07:39:39.245Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a181685e29bf47b50d4f6d7
Added to database: 5/28/2026, 10:18:45 AM
Last enriched: 5/28/2026, 10:33:31 AM
Last updated: 5/29/2026, 5:43:32 PM
Views: 44
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.