CVE-2025-32896

Name of the Vulnerable Software and Affected Versions Apache SeaTunnel versions <=2.3.10

Description Unauthorized users can perform Arbitrary File Read and Deserialization attack by submitting a job using the restful api-v1. An attacker can access the /hazelcast/rest/maps/submit-job endpoint to submit a job and set extra parameters in the MySQL URL to perform the attack.

Recommendations For Apache SeaTunnel versions <=2.3.10, users are recommended to upgrade to version 2.3.11 and enable restful api-v2 and open https two-way authentication, which fixes the issue. As a temporary workaround, consider restricting access to the /hazelcast/rest/maps/submit-job endpoint until the issue is resolved.