MEDIUM 6.5

CVE-2025-48977

Apache Ignite REST API contains a path traversal vulnerability that allows authenticated users to read arbitrary files from the server by manipulating the log path parameter in API commands. An attacker with valid REST API credentials can escape the intended log directory and access sensitive files anywhere on the system. This affects Ignite versions 2.0.0 through 2.17.0, and the vendor has released version 2.18.0 to address it.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Weaknesses (CWE)
CWE-23
Affected products
1 configuration(s)
Published / Modified
2026-05-28 / 2026-06-17

NVD description (verbatim)

Relative Path Traversal vulnerability in Apache Ignite REST API. Authenticated REST API users can read any file on the server with "cmd=log" command and a log path crafted in a certain way. This issue affects Apache Ignite: from 2.0.0 through 2.17.0. Users are recommended to upgrade to version 2.18.0, which fixes the issue.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2025-48977 is a relative path traversal vulnerability (CWE-23) in Apache Ignite's REST API. The vulnerability exists in the 'cmd=log' command handler, which fails to properly validate or sanitize the log path parameter. Authenticated API users can craft malicious path sequences (such as '../') to traverse outside the designated log directory and read arbitrary files with the privileges of the Ignite process. The CVSS 3.1 score of 6.5 reflects a network-exploitable vulnerability requiring valid authentication, with high confidentiality impact but no integrity or availability risk.

Business impact

Successful exploitation enables unauthorized disclosure of sensitive data stored on Ignite servers, including application logs, configuration files, credentials, database connection strings, and other proprietary information. For organizations using Ignite in production environments, this creates a significant insider threat and compliance risk—especially in regulated industries handling PII or financial data. The requirement for authentication limits exposure to trusted users or those who have compromised valid API credentials, but the breadth of accessible files amplifies the damage potential of credential compromise.

Affected systems

Apache Ignite versions 2.0.0 through 2.17.0 are vulnerable. Version 2.18.0 and later contain the fix. The vulnerability affects any Ignite deployment that exposes the REST API to authenticated users, including cloud-hosted and on-premises instances. Installations where the REST API is restricted to internal networks face lower risk than those with broader access controls.

Exploitability

Exploitation requires valid REST API authentication credentials and network access to the REST endpoint. No special privileges or user interaction is needed beyond authentication. The attack is straightforward—an authenticated attacker crafts a single REST API request with a malicious log path. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog, indicating no active, widespread exploitation has been publicly reported, but the simplicity of the attack means exploitation tools could be rapidly developed or adapted.

Remediation

Upgrade Apache Ignite to version 2.18.0 or later. Organizations unable to patch immediately should implement network-level access controls to restrict REST API access to trusted internal networks only, implement and enforce strong authentication for REST API access, audit REST API logs for suspicious log path parameters or directory traversal attempts, and consider disabling the REST API entirely if not actively used.

Patch guidance

Apply the vendor-recommended upgrade to Apache Ignite 2.18.0. Review and test the upgrade in a staging environment before production deployment, as it may include other changes. Verify patch application by confirming the version number post-upgrade. Organizations should coordinate the upgrade with their change management process and plan for service restarts if required. Validate that REST API functionality works as expected after patching.

Detection guidance

Monitor REST API access logs for cmd=log requests containing path traversal sequences such as '../', '..\', or encoded variants (%2e%2e%2f). Inspect the log path parameter for attempts to escape the expected log directory. Correlate suspicious REST API calls with user authentication records to identify the source. Network intrusion detection systems can be tuned to flag requests with traversal patterns to Ignite REST endpoints. Baseline normal log query patterns in your environment and alert on deviations.

Why prioritize this

Although rated MEDIUM severity, this vulnerability warrants prompt attention because it enables confidential data exfiltration from production systems. Organizations with strict data protection requirements or those running Ignite in sensitive environments should prioritize patching. The authentication requirement reduces the attack surface compared to unauthenticated vulnerabilities, but the high confidentiality impact and ease of exploitation—once credentials are obtained—make this a solid candidate for near-term remediation cycles. Factor internal REST API exposure and credential hygiene into your risk prioritization.

Risk score, explained

CVSS 3.1 score of 6.5 (MEDIUM) reflects: network-based attack vector requiring no special network positioning, low attack complexity with no special conditions, requirement for valid authentication (reducing exposure), no user interaction needed, unauthorized information disclosure with high confidentiality impact, and no integrity or availability impact. The score appropriately captures a credentialed, read-only information disclosure risk that is serious but not as critical as vulnerabilities enabling unauthenticated access or system compromise.

Frequently asked questions

Can an unauthenticated attacker exploit this vulnerability?

No. CVE-2025-48977 requires valid REST API authentication credentials. An attacker must either have a legitimate user account or have compromised valid API keys or tokens. This authentication requirement significantly limits the attack surface.

What types of files can be accessed through this vulnerability?

An attacker can read any file on the server filesystem that the Ignite process has permission to read. This typically includes log files, configuration files with embedded credentials, application data, and potentially system files depending on the process's privilege level. The scope of accessible data depends on the operating system, file permissions, and how Ignite is deployed.

Does upgrading to version 2.18.0 require downtime?

Upgrading Ignite may require a service restart depending on your deployment architecture. Verify the specific upgrade requirements in the vendor's release notes and test the upgrade process in a non-production environment first. Organizations with high-availability requirements should plan accordingly and consider canary or staged deployments.

If we don't use the REST API, are we still affected?

If the REST API is completely disabled in your Ignite configuration, you are not affected by this vulnerability. However, verify that the REST API is explicitly disabled and not simply unexosed. Review your Ignite configuration files to confirm REST API components are not active.

This analysis is provided for informational purposes based on publicly disclosed vulnerability data. SEC.co does not conduct independent verification of patch effectiveness or vendor claims. Organizations should validate patch application against official vendor advisories and conduct their own security testing. Deployment-specific risk factors—such as network exposure, authentication controls, and data sensitivity—must be evaluated in your operational context. For the most current information, consult the official Apache Ignite security documentation and vendor announcements. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).

Affected vendors

Weaknesses (CWE)

Related vulnerabilities

  • CVE-2026-10074MEDIUM

    CVE-2026-10074: DreamMaker Arbitrary File Read Vulnerability (MEDIUM)

  • CVE-2025-41271HIGH

    CVE-2025-41271: Waterfall WF-500 Path Traversal – Arbitrary File Read Vulnerability

  • CVE-2025-41280HIGH

    CVE-2025-41280: Waterfall WF-500 RX Host Path Traversal (Zip Slip) Code Execution Vulnerability

  • CVE-2026-10073HIGH

    CVE-2026-10073: DreamMaker Arbitrary File Read via Relative Path Traversal

  • CVE-2026-40861MEDIUM

    CVE-2026-40861: Apache Airflow Path Traversal – Log Directory Symlink and Directory Escape Vulnerability

  • CVE-2026-40914MEDIUM

    CVE-2026-40914: Apache Artemis STOMP Protocol Authorization Bypass

  • CVE-2026-41014MEDIUM

    CVE-2026-41014: Apache Airflow Unauthorized DAG Access via Asset Permissions

  • CVE-2026-41017MEDIUM

    CVE-2026-41017: Apache Airflow JWT Cookie Secure Flag Bypass | SEC.co