CVE-2025-62728

Name of the Vulnerable Software and Affected Versions Apache Hive versions 4.1.0 through 4.2.0

Description A SQL injection issue exists in the Hive Metastore Server (HMS) when handling delete column statistics requests through the Thrift APIs. This issue is exploitable only by authorized users or applications permitted to directly call the Thrift APIs. In typical deployments, HMS access is limited to a small number of applications, reducing the risk of exploitation. The vulnerable code is not reachable when the metastore.try.direct.sql property is set to false. The vulnerability involves processing requests via the following: API Endpoints: Thrift APIs Vulnerable Parameters or Variables: Requests to delete column statistics.

Recommendations Upgrade to version 4.2.0 to resolve the issue. If an upgrade is not possible, set the metastore.try.direct.sql property to false if the HMS Thrift APIs are exposed publicly.