CVE-2025-66524

Name of the Vulnerable Software and Affected Versions Apache NiFi versions 1.20.0 through 2.6.0

Description The GetAsanaObject Processor in Apache NiFi utilizes a Distribute Map Cache Client Service for state management. This processor employs Java Object serialization and deserialization without adequate filtering, creating a potential for exploitation through crafted state information stored in the cache server. Successful exploitation requires access to the configured cache server and an Apache NiFi system running the GetAsanaObject Processor.

Recommendations Upgrade to Apache NiFi version 2.7.0, which replaces Java Object serialization with JSON serialization. Remove the GetAsanaObject Processor located in the nifi-asana-processors-nar bundle.