Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN895
_____________________________________________________________________

DATE                : 22/12/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache NiFi versions prior to
                                       2.7.0.

=====================================================================
https://lists.apache.org/thread/k9h004ydjg7opdvxr0nfywtzf33z60d7
_____________________________________________________________________

CVE-2025-66524: Apache NiFi: Deserialization of Untrusted Data in
GetAsanaObject Processor

Severity: 

Affected versions:

- Apache NiFi (org.apache.nifi:nifi-asana-processors) 1.20.0 through 2.6.0

Description:

Apache NiFi 1.20.0 through 2.6.0 include the GetAsanaObject Processor,
which requires integration with a configurable Distribute Map Cache
Client Service for storing and retrieving state information. The
GetAsanaObject Processor used generic Java Object serialization and
deserialization without filtering. Unfiltered Java object
deserialization does not provide protection against crafted state
information stored in the cache server configured for GetAsanaObject.
Exploitation requires an Apache NiFi system running with the
GetAsanaObject Processor, and direct access to the configured cache
server. Upgrading to Apache NiFi 2.7.0 is the recommended mitigation,
which replaces Java Object serialization with JSON serialization.
Removing the GetAsanaObject Processor located in the
nifi-asana-processors-nar bundle also prevents exploitation.

This issue is being tracked as NIFI-15292 

Credit:

Jaeyeong Lee (finder)

References:

https://nifi.apache.org/
https://www.cve.org/CVERecord?id=CVE-2025-66524
https://issues.apache.org/jira/browse/NIFI-15292

Timeline:

2025-12-01: reported
2025-12-04: resolved


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================