CVE-2025-32896: 
Java vulnerability analysis and mitigation

Apache SeaTunnel versions 2.3.1 through 2.3.10 contain a vulnerability (CVE-2025-32896) that allows unauthorized users to exploit insecure REST API endpoints. The vulnerability was discovered in early April 2025 and affects the legacy REST API v1 endpoint, enabling unauthenticated access to sensitive system functions (Wiz, Openwall).

The vulnerability stems from unauthenticated access to the legacy REST API v1 endpoint '/hazelcast/rest/maps/submit-job'. Attackers can exploit this endpoint by submitting jobs to SeaTunnel without proper authentication. The vulnerability can be triggered by injecting malicious parameters in the MySQL connection URL, leading to arbitrary file reads and unsafe Java object deserialization. The severity has been classified as moderate to critical with a CVSS score of 6.5, depending on deployment context (Wiz).

The vulnerability enables attackers to access sensitive files on the server, including configuration files and credentials. Through Java deserialization exploitation, attackers may achieve remote code execution (RCE), potentially gaining full control over the affected server. Given SeaTunnel's widespread adoption by large enterprises for data synchronization, the potential impact is significant (Wiz).

The Apache SeaTunnel team has addressed the vulnerability in version 2.3.11. Users are strongly advised to upgrade to this version or later, disable RESTful API v1, and switch to API v2 which enforces stricter authentication. Additionally, it is recommended to enable HTTPS two-way authentication for all SeaTunnel nodes to ensure secure communication and prevent unauthorized access (Wiz, Openwall).