CVE-2025-27446: 
Apache APISIX vulnerability analysis and mitigation

An Incorrect Permission Assignment for Critical Resource vulnerability (CVE-2025-27446) was discovered in Apache APISIX Java Plugin Runner. The vulnerability affects versions from 0.2.0 through 0.5.0, where local listening file permissions in APISIX plugin runner allow a local attacker to elevate privileges (NVD, OSS Security).

The vulnerability is classified as CWE-732 (Incorrect Permission Assignment for Critical Resource). According to the CVSS 3.1 scoring by CISA-ADP, it has received a base score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating local access, low attack complexity, low privileges required, no user interaction, and high impacts on confidentiality, integrity, and availability (NVD).

The vulnerability allows a local attacker to elevate privileges through improper file permissions in the APISIX plugin runner. This could lead to unauthorized access and potential system compromise with high impacts on system confidentiality, integrity, and availability (NVD).

Users are recommended to upgrade to Apache APISIX Java Plugin Runner version 0.6.0 or higher, which contains the fix for this vulnerability (NVD).

The vulnerability was initially reported by Benoit TELLIER and was assigned a severity rating of 'low' by the Apache APISIX team (OSS Security).