Cyber Resilience

CVE-2024-55532

Critical

Published: 03 March 2025

Published
03 March 2025
Modified
21 May 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0054 68.1th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-55532 is a critical-severity Improper Neutralization of Formula Elements in a CSV File (CWE-1236) vulnerability in Apache Ranger. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 31.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2024-55532 is an improper neutralization of formula elements vulnerability in the Export CSV feature of Apache Ranger versions prior to 2.6.0. Published on March 3, 2025, this flaw (mapped to CWE-1236) carries a CVSS v3.1 base score of 9.8, indicating critical severity due to its network accessibility, low attack complexity, lack of required privileges or user interaction, and high impacts across confidentiality, integrity, and availability.

Remote unauthenticated attackers can exploit this vulnerability over the network by triggering the Export CSV functionality, potentially leading to severe consequences such as unauthorized data access, modification, or disruption, as reflected in the high CVSS impact metrics (C:H/I:H/A:H) with unchanged scope.

Apache advisories recommend upgrading to Ranger version 2.6.0, which addresses the issue. Additional details are available in the Apache Ranger vulnerabilities wiki at https://cwiki.apache.org/confluence/display/RANGER/Vulnerabilities+found+in+Ranger and the oss-security mailing list announcement at http://www.openwall.com/lists/oss-security/2025/03/03/2.

EU & UK References

Vulnerability details

Improper Neutralization of Formula Elements in Export CSV feature of Apache Ranger in Apache Ranger Version < 2.6.0. Users are recommended to upgrade to version 2.6.0, which fixes this issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability allows remote unauthenticated attackers to exploit the Export CSV feature in the public-facing Apache Ranger web application, directly mapping to T1190 Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-59059Same product: Apache Ranger
CVE-2024-45479Same product: Apache Ranger
CVE-2026-46586Same vendor: Apache
CVE-2026-41873Same vendor: Apache
CVE-2025-24783Same vendor: Apache
CVE-2024-53678Same vendor: Apache
CVE-2026-34059Same vendor: Apache
CVE-2026-40961Same vendor: Apache
CVE-2025-48913Same vendor: Apache
CVE-2025-65114Same vendor: Apache

Affected Assets

apache
ranger
≤ 2.6.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the CVE by requiring timely patching and upgrading Apache Ranger to version 2.6.0 as recommended by the vendor.

prevent

Filters and neutralizes formula elements in CSV export output to prevent injection of malicious formulas exploitable by remote attackers.

prevent

Enforces access controls to block unauthenticated remote attackers from triggering the vulnerable Export CSV functionality.

References