CVE-2025-66524HIGH 8.8EPSS p34.7%

CVE-2025-66524CVE-2025-66524

Description

Apache NiFi 1.20.0 through 2.6.0 include the GetAsanaObject Processor, which requires integration with a configurable Distribute Map Cache Client Service for storing and retrieving state information. The GetAsanaObject Processor used generic Java Object serialization and deserialization without filtering. Unfiltered Java object deserialization does not provide protection against crafted state information stored in the cache server configured for GetAsanaObject. Exploitation requires an Apache NiFi system running with the GetAsanaObject Processor, and direct access to the configured cache server. Upgrading to Apache NiFi 2.7.0 is the recommended mitigation, which replaces Java Object serialization with JSON serialization. Removing the GetAsanaObject Processor located in the nifi-asana-processors-nar bundle also prevents exploitation.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS0.43% probability of exploitation · percentile 34.7% · 2026-06-18T12:00:27Z
Published2025-12-19
Last modified2026-01-08

Underlying weaknesses· 1

CWE-502

References

  1. https://lists.apache.org/thread/k9h004ydjg7opdvxr0nfywtzf33z60d7
  2. http://www.openwall.com/lists/oss-security/2025/12/18/2

1

TypeTargetConfidenceTier
WeaknessDeserialization of Untrusted Datacwe-5020%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-27925
CVE
CVE-2026-6857
CVE
CVE-2026-40858
CVE
CVE-2025-53606
CVE
CVE-2026-25747
CVE
CVE-2026-40473
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.