CVE-2025-29847 (GCVE-0-2025-29847)
Vulnerability from cvelistv5 – Published: 2026-01-19 08:36 – Updated: 2026-01-20 15:12
VLAI
Title
Apache Linkis: Arbitrary File Read via Double URL Encoding Bypass
Summary
A vulnerability in Apache Linkis.
Problem Description
When using the JDBC engine and da
When using the JDBC engine and data source functionality, if the URL parameter configured on the frontend has undergone multiple rounds of URL encoding, it may bypass the system's checks. This bypass can trigger a vulnerability that allows unauthorized access to system files via JDBC parameters.
Scope of Impact
This issue affects Apache Linkis: from 1.3.0 through 1.7.0.
Severity level
moderate
Solution
Continuously check if the connection information contains the "%" character; if it does, perform URL decoding.
Users are recommended to upgrade to version 1.8.0, which fixes the issue.
More questions about this vulnerability can be discussed here: https://lists.apache.org/list?dev@linkis.apache.org:2025-9:cve
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Linkis |
Affected:
1.3.0 , ≤ 1.7.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-01-19T09:11:59.096Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/09/19/2"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-29847",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-20T15:10:49.304422Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T15:12:04.287Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Linkis",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "1.7.0",
"status": "affected",
"version": "1.3.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Le1a and A1kaid from Threatbook"
},
{
"lang": "en",
"type": "analyst",
"value": "kinghao"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Le1a from Threatbook"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "kinghao"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA vulnerability in Apache Linkis.\u003cbr\u003e\u003cbr\u003e\u003cb\u003eProblem Description\u003c/b\u003e\u003cbr\u003eWhen using the JDBC engine and da\u003cbr\u003eWhen using the JDBC engine and data source functionality, if the URL parameter configured on the frontend has undergone multiple rounds of URL encoding, it may bypass the system\u0027s checks. This bypass can trigger a vulnerability that allows unauthorized access to system files via JDBC parameters.\u003c/p\u003e\u003cb\u003eScope of Impact\u003c/b\u003e\u003cbr\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eThis issue affects Apache Linkis: from 1.3.0 through 1.7.0.\u003cbr\u003e\u003cbr\u003e\u003cb\u003eSeverity level\u003c/b\u003e\u003cbr\u003e\u003c/span\u003e\n\nmoderate\u003cbr\u003e\u003cp\u003e\u003cb\u003eSolution\u003c/b\u003e\u003cbr\u003eContinuously check if the connection information contains the \"%\" character; if it does, perform URL decoding.\u003cbr\u003e\u003cbr\u003eUsers are recommended to upgrade to version 1.8.0, which fixes the issue.\u003cbr\u003e\u003c/p\u003e\u003cp\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eMore questions about this vulnerability can be discussed here:\u003c/span\u003e\u0026nbsp;\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://lists.apache.org/list?dev@linkis.apache.org:2025-9:cve\"\u003ehttps://lists.apache.org/list?dev@linkis.apache.org:2025-9:cve\u003c/a\u003e\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "A vulnerability in Apache Linkis.\n\nProblem Description\nWhen using the JDBC engine and da\nWhen using the JDBC engine and data source functionality, if the URL parameter configured on the frontend has undergone multiple rounds of URL encoding, it may bypass the system\u0027s checks. This bypass can trigger a vulnerability that allows unauthorized access to system files via JDBC parameters.\n\nScope of Impact\n\n\nThis issue affects Apache Linkis: from 1.3.0 through 1.7.0.\n\nSeverity level\n\n\nmoderate\nSolution\nContinuously check if the connection information contains the \"%\" character; if it does, perform URL decoding.\n\nUsers are recommended to upgrade to version 1.8.0, which fixes the issue.\n\n\n\n\nMore questions about this vulnerability can be discussed here:\u00a0 https://lists.apache.org/list?dev@linkis.apache.org:2025-9:cve"
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T08:36:06.839Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/03l5rfkgdt022o75jp8x4tzpqxz8g057"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Linkis: Arbitrary File Read via Double URL Encoding Bypass",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-29847",
"datePublished": "2026-01-19T08:36:06.839Z",
"dateReserved": "2025-03-12T03:28:05.936Z",
"dateUpdated": "2026-01-20T15:12:04.287Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2025-29847",
"date": "2026-06-27",
"epss": "0.00744",
"percentile": "0.50112"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2025-29847\",\"sourceIdentifier\":\"security@apache.org\",\"published\":\"2026-01-19T09:16:01.237\",\"lastModified\":\"2026-06-17T09:05:47.277\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A vulnerability in Apache Linkis.\\n\\nProblem Description\\nWhen using the JDBC engine and da\\nWhen using the JDBC engine and data source functionality, if the URL parameter configured on the frontend has undergone multiple rounds of URL encoding, it may bypass the system\u0027s checks. This bypass can trigger a vulnerability that allows unauthorized access to system files via JDBC parameters.\\n\\nScope of Impact\\n\\n\\nThis issue affects Apache Linkis: from 1.3.0 through 1.7.0.\\n\\nSeverity level\\n\\n\\nmoderate\\nSolution\\nContinuously check if the connection information contains the \\\"%\\\" character; if it does, perform URL decoding.\\n\\nUsers are recommended to upgrade to version 1.8.0, which fixes the issue.\\n\\n\\n\\n\\nMore questions about this vulnerability can be discussed here:\u00a0 https://lists.apache.org/list?dev@linkis.apache.org:2025-9:cve\"},{\"lang\":\"es\",\"value\":\"Una vulnerabilidad en Apache Linkis.\\n\\nDescripci\u00f3n del problema\\nAl utilizar el motor JDBC y la funcionalidad de fuente de datos, si el par\u00e1metro URL configurado en el frontend ha sido sometido a m\u00faltiples rondas de codificaci\u00f3n URL, puede eludir las comprobaciones del sistema. Esta elusi\u00f3n puede desencadenar una vulnerabilidad que permite el acceso no autorizado a archivos del sistema a trav\u00e9s de par\u00e1metros JDBC.\\n\\nAlcance del impacto\\nEste problema afecta a Apache Linkis: desde la 1.3.0 hasta la 1.7.0.\\n\\nNivel de gravedad\\nmoderado\\nSoluci\u00f3n\\nComprobar continuamente si la informaci\u00f3n de conexi\u00f3n contiene el car\u00e1cter \u0027%\u0027; si lo contiene, realizar la decodificaci\u00f3n URL.\\n\\nSe recomienda a los usuarios actualizar a la versi\u00f3n 1.8.0, que corrige el problema.\\n\\nM\u00e1s preguntas sobre esta vulnerabilidad pueden discutirse aqu\u00ed: https://lists.apache.org/list?dev@linkis.apache.org:2025-9:cve\"}],\"affected\":[{\"source\":\"security@apache.org\",\"affectedData\":[{\"vendor\":\"Apache Software Foundation\",\"product\":\"Apache Linkis\",\"defaultStatus\":\"unaffected\",\"versions\":[{\"version\":\"1.3.0\",\"lessThanOrEqual\":\"1.7.0\",\"versionType\":\"semver\",\"status\":\"affected\"}]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2026-01-20T15:10:49.304422Z\",\"id\":\"CVE-2025-29847\",\"options\":[{\"exploitation\":\"none\"},{\"automatable\":\"yes\"},{\"technicalImpact\":\"partial\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"security@apache.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-20\"},{\"lang\":\"en\",\"value\":\"CWE-22\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:linkis:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.3.0\",\"versionEndExcluding\":\"1.8.0\",\"matchCriteriaId\":\"4ADF588F-526C-4CEC-9F76-44D1BE9ACD27\"}]}]}],\"references\":[{\"url\":\"https://lists.apache.org/thread/03l5rfkgdt022o75jp8x4tzpqxz8g057\",\"source\":\"security@apache.org\",\"tags\":[\"Mailing List\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2025/09/19/2\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"http://www.openwall.com/lists/oss-security/2025/09/19/2\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2026-01-19T09:11:59.096Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-29847\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-01-20T15:10:49.304422Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-01-20T15:11:56.835Z\"}}], \"cna\": {\"title\": \"Apache Linkis: Arbitrary File Read via Double URL Encoding Bypass\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Le1a and A1kaid from Threatbook\"}, {\"lang\": \"en\", \"type\": \"analyst\", \"value\": \"kinghao\"}, {\"lang\": \"en\", \"type\": \"remediation developer\", \"value\": \"Le1a from Threatbook\"}, {\"lang\": \"en\", \"type\": \"remediation reviewer\", \"value\": \"kinghao\"}], \"metrics\": [{\"other\": {\"type\": \"Textual description of severity\", \"content\": {\"text\": \"moderate\"}}}], \"affected\": [{\"vendor\": \"Apache Software Foundation\", \"product\": \"Apache Linkis\", \"versions\": [{\"status\": \"affected\", \"version\": \"1.3.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"1.7.0\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://lists.apache.org/thread/03l5rfkgdt022o75jp8x4tzpqxz8g057\", \"tags\": [\"vendor-advisory\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"A vulnerability in Apache Linkis.\\n\\nProblem Description\\nWhen using the JDBC engine and da\\nWhen using the JDBC engine and data source functionality, if the URL parameter configured on the frontend has undergone multiple rounds of URL encoding, it may bypass the system\u0027s checks. This bypass can trigger a vulnerability that allows unauthorized access to system files via JDBC parameters.\\n\\nScope of Impact\\n\\n\\nThis issue affects Apache Linkis: from 1.3.0 through 1.7.0.\\n\\nSeverity level\\n\\n\\nmoderate\\nSolution\\nContinuously check if the connection information contains the \\\"%\\\" character; if it does, perform URL decoding.\\n\\nUsers are recommended to upgrade to version 1.8.0, which fixes the issue.\\n\\n\\n\\n\\nMore questions about this vulnerability can be discussed here:\\u00a0 https://lists.apache.org/list?dev@linkis.apache.org:2025-9:cve\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eA vulnerability in Apache Linkis.\u003cbr\u003e\u003cbr\u003e\u003cb\u003eProblem Description\u003c/b\u003e\u003cbr\u003eWhen using the JDBC engine and da\u003cbr\u003eWhen using the JDBC engine and data source functionality, if the URL parameter configured on the frontend has undergone multiple rounds of URL encoding, it may bypass the system\u0027s checks. This bypass can trigger a vulnerability that allows unauthorized access to system files via JDBC parameters.\u003c/p\u003e\u003cb\u003eScope of Impact\u003c/b\u003e\u003cbr\u003e\\n\\n\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003eThis issue affects Apache Linkis: from 1.3.0 through 1.7.0.\u003cbr\u003e\u003cbr\u003e\u003cb\u003eSeverity level\u003c/b\u003e\u003cbr\u003e\u003c/span\u003e\\n\\nmoderate\u003cbr\u003e\u003cp\u003e\u003cb\u003eSolution\u003c/b\u003e\u003cbr\u003eContinuously check if the connection information contains the \\\"%\\\" character; if it does, perform URL decoding.\u003cbr\u003e\u003cbr\u003eUsers are recommended to upgrade to version 1.8.0, which fixes the issue.\u003cbr\u003e\u003c/p\u003e\u003cp\u003e\\n\\n\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003eMore questions about this vulnerability can be discussed here:\u003c/span\u003e\u0026nbsp;\u003ca target=\\\"_blank\\\" rel=\\\"nofollow\\\" href=\\\"https://lists.apache.org/list?dev@linkis.apache.org:2025-9:cve\\\"\u003ehttps://lists.apache.org/list?dev@linkis.apache.org:2025-9:cve\u003c/a\u003e\u003cbr\u003e\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-20\", \"description\": \"CWE-20 Improper Input Validation\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-22\", \"description\": \"CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"shortName\": \"apache\", \"dateUpdated\": \"2026-01-19T08:36:06.839Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-29847\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-01-20T15:12:04.287Z\", \"dateReserved\": \"2025-03-12T03:28:05.936Z\", \"assignerOrgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"datePublished\": \"2026-01-19T08:36:06.839Z\", \"assignerShortName\": \"apache\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…