CVE-2025-61734: 
Java vulnerability analysis and mitigation

A Files or Directories Accessible to External Parties vulnerability has been identified in Apache Kylin, tracked as CVE-2025-61734. The vulnerability affects Apache Kylin versions from 4.0.0 through 5.0.2. This security issue was disclosed on October 2, 2025, and has been assigned a CVSS v3.1 base score of 7.5 (High) (NVD, Miggo).

The vulnerability stems from insufficient validation of host parameters in several API endpoints and path traversal vulnerabilities in file handling services. The issue involves multiple vulnerable functions including broadcastMetadataBackup, getMetadataBackupFromTmpPath, and generateTempKeytab. The vulnerability has been assigned CWE-552 (Files or Directories Accessible to External Parties) and carries a CVSS vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (Miggo).

If exploited, attackers with sufficient access could retrieve sensitive files from the system, potentially leading to data leakage or reconnaissance for further attacks. The vulnerability primarily affects the confidentiality of the system, as indicated by the CVSS metrics showing high impact on confidentiality but no impact on integrity or availability (SecurityOnline).

Users are strongly recommended to upgrade to Apache Kylin version 5.0.3, which contains fixes for this vulnerability. The patch introduces several security improvements including a checkServer method in NBasicController, a getSafeAbsolutePath method for path validation, and a checkPrincipal method for input sanitization (Miggo, NVD).