CVE-2025-1385

Name of the Vulnerable Software and Affected Versions ClickHouse (affected versions not specified)

Description The issue arises when the library bridge feature is enabled, allowing the clickhouse-library-bridge to expose an HTTP API on localhost. This enables clickhouse-server to dynamically load a library from a specified path and execute it in an isolated process. If combined with the ClickHouse table engine functionality that permits file uploads to specific directories, a misconfigured server can be exploited by an attacker with access to both table engines to execute arbitrary code on the ClickHouse server.

Recommendations To check if your ClickHouse server is vulnerable, inspect the configuration file for the following setting: <library bridge> <port>9019</port> </library bridge> If this setting is enabled, consider disabling the library bridge feature as a temporary workaround until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.