CVE-2025-29847
Published: 19 January 2026
Summary
CVE-2025-29847 is a high-severity Improper Input Validation (CWE-20) vulnerability in Apache Linkis. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 36.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-29847 is a vulnerability in Apache Linkis that affects versions from 1.3.0 through 1.7.0. It occurs in the JDBC engine and data source functionality, where a frontend-configured URL parameter that has undergone multiple rounds of URL encoding can bypass system checks. This bypass enables unauthorized access to system files through JDBC parameters. The issue is associated with CWE-20 (Improper Input Validation) and CWE-22 (Path Traversal), with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), rated as moderate severity.
Unauthenticated remote attackers can exploit this vulnerability over the network with low complexity and no user interaction required. By crafting a specially encoded JDBC URL parameter, attackers bypass validation and gain unauthorized read access to system files, resulting in high confidentiality impact without affecting integrity or availability.
Apache Linkis advisories recommend upgrading to version 1.8.0, which addresses the issue. As a mitigation, systems should continuously check connection information for the "%" character and perform URL decoding if present. Additional discussion is available at https://lists.apache.org/list?dev@linkis.apache.org:2025-9:cve, with further details in references such as https://lists.apache.org/thread/03l5rfkgdt022o75jp8x4tzpqxz8g057 and http://www.openwall.com/lists/oss-security/2025/09/19/2.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-3229
Vulnerability details
A vulnerability in Apache Linkis. Problem Description When using the JDBC engine and da When using the JDBC engine and data source functionality, if the URL parameter configured on the frontend has undergone multiple rounds of URL encoding, it may…
more
bypass the system's checks. This bypass can trigger a vulnerability that allows unauthorized access to system files via JDBC parameters. Scope of Impact This issue affects Apache Linkis: from 1.3.0 through 1.7.0. Severity level moderate Solution Continuously check if the connection information contains the "%" character; if it does, perform URL decoding. Users are recommended to upgrade to version 1.8.0, which fixes the issue. More questions about this vulnerability can be discussed here: https://lists.apache.org/list?dev@linkis.apache.org:2025-9:cve
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in public-facing Apache Linkis JDBC component directly enables remote unauthenticated file read (T1190 exploitation + T1005 data collection).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the improper input validation (CWE-20) by requiring validation and decoding of JDBC URL parameters to prevent bypass via multiple URL encodings.
Addresses the specific flaw in Apache Linkis versions 1.3.0-1.7.0 by requiring timely identification, reporting, and remediation through patching to version 1.8.0.
Enforces least privilege on the JDBC engine process to prevent unauthorized read access to system files even if input validation is bypassed.