PRP: Apache IoTDB CVE-2025-48459 RCE

[am0o0]

• Identifier of the vulnerability: CVE-2025-48459
• Affected software: Apache IoTDB
• Type of vulnerability: RCE
• Requires authentication: No
• Language you would use for writing the plugin: Java
• Resources:
  • GHSA-776q-jw43-fhjx

@tooryx Hi
I just created this issue to let you know if you are interested in this software. After you give me your feedback, I can start my research for creating an exploit because there is no public exploit for this vulnerability, and I'm still uncertain if it is possible to use templated plugins for this or not.

[github-actions]

Welcome to the Tsunami patch reward program!

Your issue has been added to our triage queue and will reviewed
shortly. The panel usually takes a decision once per week, so it
can take up to a week before you hear back from us.

Please, do not start the work until the panel has reached a
decision. Although we always welcome contributions, unapproved
work is not eligible for a reward.

~The Tsunami PRP team

[github-actions]

This message is addressed to the Tsunami panel.

Contributor stats

• The contributor has 2 issues tagged as main;
• The contributor has 4 issues tagged as queue.

Useful links

• All open issues from this contributor
• All open PRs from this contributor

[tooryx]

Automated message: Do not reply to that comment or tag the author. We just announced a temporary program freeze please see #752 for details. Thank you for your understanding and patience.

[tooryx]

Hi @am0o0,

Are you still willing to contribute on this? Otherwise I will close it, in view of our current PRP pause.

~tooryx