CVE-2025-29847
Published: 19 January 2026
Summary
CVE-2025-29847 is a high-severity Improper Input Validation (CWE-20) vulnerability in Apache Linkis. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Directly implements checks on information inputs to reject invalid data before processing.
Security testing and developer training directly verify and enforce proper input validation, reducing exploitability of injection and malformed-data weaknesses.
Security testing and evaluation at multiple SDLC stages directly detects missing or flawed input validation, with the required remediation process ensuring fixes are applied.
Spam protection mechanisms perform filtering and detection on inbound/outbound messages, directly compensating for missing or weak input validation of unsolicited content.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in public-facing Apache Linkis JDBC component directly enables remote unauthenticated file read (T1190 exploitation + T1005 data collection).
NVD Description
A vulnerability in Apache Linkis. Problem Description When using the JDBC engine and da When using the JDBC engine and data source functionality, if the URL parameter configured on the frontend has undergone multiple rounds of URL encoding, it may…
more
bypass the system's checks. This bypass can trigger a vulnerability that allows unauthorized access to system files via JDBC parameters. Scope of Impact This issue affects Apache Linkis: from 1.3.0 through 1.7.0. Severity level moderate Solution Continuously check if the connection information contains the "%" character; if it does, perform URL decoding. Users are recommended to upgrade to version 1.8.0, which fixes the issue. More questions about this vulnerability can be discussed here: https://lists.apache.org/list?dev@linkis.apache.org:2025-9:cve
Deeper analysisAI
CVE-2025-29847 is a vulnerability in Apache Linkis that affects versions from 1.3.0 through 1.7.0. It occurs in the JDBC engine and data source functionality, where a frontend-configured URL parameter that has undergone multiple rounds of URL encoding can bypass system checks. This bypass enables unauthorized access to system files through JDBC parameters. The issue is associated with CWE-20 (Improper Input Validation) and CWE-22 (Path Traversal), with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), rated as moderate severity.
Unauthenticated remote attackers can exploit this vulnerability over the network with low complexity and no user interaction required. By crafting a specially encoded JDBC URL parameter, attackers bypass validation and gain unauthorized read access to system files, resulting in high confidentiality impact without affecting integrity or availability.
Apache Linkis advisories recommend upgrading to version 1.8.0, which addresses the issue. As a mitigation, systems should continuously check connection information for the "%" character and perform URL decoding if present. Additional discussion is available at https://lists.apache.org/list?dev@linkis.apache.org:2025-9:cve, with further details in references such as https://lists.apache.org/thread/03l5rfkgdt022o75jp8x4tzpqxz8g057 and http://www.openwall.com/lists/oss-security/2025/09/19/2.
Details
- CWE(s)