Apache NiFi versions 1.20.0 through 2.6.0 include a vulnerability identified as CVE-2025-66524, classified under CWE-502 (Deserialization of Untrusted Data). The issue resides in the GetAsanaObject Processor, which integrates with a configurable Distributed Map Cache Client Service to store and retrieve state information. This processor employs generic Java object serialization and deserialization without applying any filtering or validation on the serialized data. Such unfiltered deserialization exposes the system to crafted malicious payloads that can be injected into the cache server. When the NiFi instance deserializes this malicious data, it may lead to remote code execution, privilege escalation, or denial of service. Exploitation requires that the attacker has direct access to the cache server configured for the GetAsanaObject Processor and that the NiFi system is running this processor. The vulnerability does not require user interaction but does require privileges to access the cache server. The Apache Software Foundation addressed this vulnerability in NiFi version 2.7.0 by replacing Java object serialization with safer JSON serialization, which does not allow arbitrary code execution during deserialization. Alternatively, removing the GetAsanaObject Processor (found in the nifi-asana-processors-nar bundle) also prevents exploitation. The CVSS v4.0 base score is 7.5, indicating a high severity due to the potential for remote exploitation without user interaction but requiring some privileges and direct access to the cache server. No known exploits are currently reported in the wild.

The impact of CVE-2025-66524 on organizations worldwide can be significant, especially for those relying on Apache NiFi for data flow automation and integration. Successful exploitation could allow attackers to execute arbitrary code within the NiFi environment, potentially leading to full system compromise, data exfiltration, or disruption of critical data pipelines. This could result in operational downtime, loss of data integrity, and exposure of sensitive information. Since NiFi is often deployed in enterprise environments for processing sensitive data streams, the vulnerability could affect industries such as finance, healthcare, telecommunications, and government agencies. The requirement for direct cache server access limits the attack surface but does not eliminate risk, particularly in environments where internal network segmentation is weak or where cache servers are exposed or accessible by unauthorized users. The vulnerability could also be leveraged as a pivot point for lateral movement within a compromised network. Given the high severity and the critical role of NiFi in data workflows, organizations must prioritize mitigation to avoid potential operational and reputational damage.

To mitigate CVE-2025-66524, organizations should take the following specific actions: 1) Upgrade Apache NiFi to version 2.7.0 or later, where the vulnerable Java object serialization is replaced with safer JSON serialization, effectively eliminating the deserialization risk. 2) If immediate upgrade is not feasible, remove or disable the GetAsanaObject Processor by uninstalling the nifi-asana-processors-nar bundle to prevent the vulnerable code from executing. 3) Restrict and tightly control access to the Distributed Map Cache Client Service and its cache servers, ensuring they are not exposed to untrusted networks or users. Implement network segmentation and firewall rules to limit access only to authorized NiFi components and administrators. 4) Monitor cache server logs and NiFi audit trails for unusual or unauthorized access patterns that could indicate attempted exploitation. 5) Conduct internal security assessments and penetration tests focusing on NiFi deployments to identify any exposure of cache servers or misconfigurations. 6) Educate system administrators and DevOps teams about the risks of untrusted deserialization and the importance of applying security updates promptly. 7) Review and harden NiFi configurations to minimize attack surface, including disabling unused processors and services.