Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN843
_____________________________________________________________________

DATE                : 11/12/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache HugeGraph-Server versions
                                  prior to 1.7.0.

=====================================================================
https://lists.apache.org/thread/sd39g2bpo6pyohpy31z678p990sxoonh
_____________________________________________________________________

CVE-2025-26866: Apache HugeGraph-Server: RAFT and deserialization
vulnerability

Severity: moderate

Affected versions:

- Apache HugeGraph-Server 1.0.0 ~ 1.5.0 (before 1.7.0)

Description:

A remote code execution vulnerability exists where a malicious Raft
node can exploit insecure Hessian deserialization within the PD store.
The fix enforces IP-based authentication to restrict cluster
membership and implements a strict class whitelist to harden the
Hessian serialization process against object injection attacks.

Users are recommended to upgrade to version 1.7.0, which fixes the
issue.

Credit:

- shukuang (reporter)
- yulate (reporter)
- X1r0z (reporter)
- haohao0103 (remediation developer)

References:

- https://hugegraph.apache.org/docs/guides/security/
- https://lists.apache.org/thread/6f502dvyrckwp8tz2k73zlko8qr7wt5x
- https://github.com/apache/incubator-hugegraph/pull/2735
- https://www.cve.org/CVERecord?id=CVE-2025-26866


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================