CVE-2025-23015: 
Apache Cassandra vulnerability analysis and mitigation

CVE-2025-23015 is a Privilege Defined With Unsafe Actions vulnerability discovered in Apache Cassandra. The vulnerability was disclosed on February 3, 2025, affecting Apache Cassandra versions through 3.0.30, 3.11.17, 4.0.15, 4.1.7, and 5.0.2. This security flaw was reported by Adam Pond, Ali Mirheidari, Terry Thibault, and Will Brattain of Apple Services Engineering Security (OSS Security).

The vulnerability is classified as CWE-267 (Privilege Defined With Unsafe Actions) with a CVSS v3.1 base score of 8.8 (HIGH) according to CISA-ADP assessment. The vulnerability allows a user with MODIFY permission ON ALL KEYSPACES to escalate privileges to superuser within a targeted Cassandra cluster via unsafe actions to a system resource (NVD, Red Hat).

The vulnerability enables privilege escalation to superuser level within affected Cassandra clusters. Organizations granting data MODIFY permission on all keyspaces on affected versions may be exposed to potential security breaches, as users can gain unauthorized superuser access to system resources (OSS Security).

Initially, users were recommended to upgrade to versions 3.0.31, 3.11.18, 4.0.16, 4.1.8, or 5.0.3. However, due to performance regressions detected in versions 3.0.31 and 3.11.18, users are now advised to upgrade to versions 3.0.32 and 3.11.19 instead. For other versions, the original upgrade recommendations remain unchanged (OSS Security).