CVE-2025-24814: 
Java vulnerability analysis and mitigation

Apache Solr has reported a vulnerability (CVE-2025-24814) affecting all versions through Solr 9.7. The vulnerability exists in instances using the 'FileSystemConfigSetService' component (default in 'standalone' or 'user-managed' mode) that are running without authentication and authorization. This security flaw was discovered on January 26, 2025, and allows for privilege escalation through the manipulation of trusted configset files (Apache Advisory).

The vulnerability enables users to replace 'trusted' configset files with arbitrary configurations from elsewhere on the filesystem. These replacement config files are treated as trusted and can utilize tags to add to Solr's classpath. The vulnerability has been assigned CWE-250 (Execution with Unnecessary Privileges) and received a CVSS v3.1 base score of 5.4 (Medium) from CISA-ADP (NVD Database, Red Hat Portal).

The vulnerability allows attackers to load malicious code as a searchComponent or other plugin through the manipulation of trusted configset files. This could lead to unauthorized code execution and potential system compromise (Security Online).

Users can protect against the vulnerability through multiple approaches: 1) Upgrade to Solr 9.8.0, which mitigates this issue by disabling use of tags by default, 2) Enable authentication and authorization on their Solr clusters, or 3) Switch to SolrCloud and away from FileSystemConfigSetService (Red Hat Portal).