Severity: moderate Affected versions:
- Apache HugeGraph-Server 1.0.0 ~ 1.5.0 (before 1.7.0) Description: A remote code execution vulnerability exists where a malicious Raft node can exploit insecure Hessian deserialization within the PD store. The fix enforces IP-based authentication to restrict cluster membership and implements a strict class whitelist to harden the Hessian serialization process against object injection attacks. Users are recommended to upgrade to version 1.7.0, which fixes the issue. Credit: - shukuang (reporter) - yulate (reporter) - X1r0z (reporter) - haohao0103 (remediation developer) References: - https://hugegraph.apache.org/docs/guides/security/ - https://lists.apache.org/thread/6f502dvyrckwp8tz2k73zlko8qr7wt5x - https://github.com/apache/incubator-hugegraph/pull/2735 - https://www.cve.org/CVERecord?id=CVE-2025-26866
