Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1794+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. Security
  3. CVE-2025-64152: Apache IoTDB Second Critical Path Traversal Flaw
CVE-2025-64152: Apache IoTDB Second Critical Path Traversal Flaw

Critical Security Alert

This vulnerability is actively being exploited. Immediate action is recommended.

SECURITYCRITICALCVE-2025-64152

CVE-2025-64152: Apache IoTDB Second Critical Path Traversal Flaw

A second critical path traversal vulnerability (CVSS 9.1) in Apache IoTDB affects versions 1.0.0 through 1.3.5 and 2.0.0 through 2.0.6. Patch to 1.3.6 or...

Dylan H.

Security Team

June 27, 2026
5 min read

Affected Products

  • Apache IoTDB 1.0.0 – 1.3.5
  • Apache IoTDB 2.0.0 – 2.0.6

Overview

Apache IoTDB carries a second critical path traversal vulnerability, tracked as CVE-2025-64152 with a CVSS v3.1 score of 9.1 (Critical). Disclosed the same day as CVE-2025-55017, this flaw affects a slightly wider range on the 2.x branch — up to and including 2.0.6 — meaning organizations that patched CVE-2025-55017 by upgrading only to 2.0.6 are still vulnerable and must upgrade again to 2.0.7.


Vulnerability Details

FieldDetails
CVE IDCVE-2025-64152
VendorApache Software Foundation
ProductApache IoTDB
Vulnerability TypePath Traversal (CWE-22)
CVSS Score9.1 (Critical)
Affected Versions1.0.0 – 1.3.5; 2.0.0 – 2.0.6
Fixed Versions1.3.6; 2.0.7
PublishedJune 26, 2025

How CVE-2025-64152 Differs from CVE-2025-55017

Two path traversal CVEs were filed simultaneously for Apache IoTDB, indicating two distinct vulnerable code paths or components within the application:

AttributeCVE-2025-55017CVE-2025-64152
CVSS Score9.19.1
1.x fix1.3.61.3.6
2.x fix2.0.62.0.7
2.x affected through2.0.52.0.6

The critical takeaway: 2.0.6 fixes CVE-2025-55017 but does NOT fix CVE-2025-64152. You must upgrade to 2.0.7 to close both vulnerabilities on the 2.x branch.


Technical Analysis

Nature of the Flaw

Like CVE-2025-55017, this vulnerability arises from improper neutralization of path traversal sequences in user-controlled input. The specific code path is distinct — it may reside in a different API endpoint, file handling routine, or module within IoTDB — but the impact class is identical: an attacker can use ../ sequences to escape the intended base directory and access arbitrary filesystem locations.

Exploitation Impact

Successful exploitation could enable:

  • Unauthorized file read — Exfiltration of IoTDB configuration, schema definitions, or raw time-series data files
  • Credential harvesting — Many IoTDB deployments store authentication credentials or connect to other systems with stored keys
  • File write attacks — Overwriting critical files, potentially leading to code execution or denial of service
  • OT/ICS data theft — Industrial sensor data, operational parameters, and process telemetry

Affected Environments

Apache IoTDB is commonly found in:

  • Energy sector — Power generation, grid monitoring, metering infrastructure
  • Manufacturing — Production line telemetry, quality control sensors
  • Smart cities — Traffic monitoring, environmental sensors, utility management
  • Healthcare IoT — Medical device telemetry and patient monitoring aggregation

Both CVEs are especially significant in OT/ICS environments where patching windows are narrow and network segmentation may be the primary mitigating control.


Remediation

Required Upgrade Targets

BranchAffected VersionsMinimum Safe Version
1.x1.0.0 – 1.3.51.3.6
2.x1.0.0 – 2.0.62.0.7

Warning: If you upgraded to 2.0.6 to address CVE-2025-55017, you are still exposed to CVE-2025-64152. Upgrade to 2.0.7 immediately.

Interim Mitigations

While scheduling the upgrade:

  1. Firewall IoTDB ports — Ensure the IoTDB Thrift API (default port 6667) and REST API (default port 18080) are not accessible from untrusted networks.
  2. Deploy a WAF rule — If IoTDB is exposed via a web proxy, add rules to block requests containing ../, %2e%2e, and similar traversal sequences.
  3. Audit filesystem permissions — Restrict the IoTDB service account to the minimum required file system access.
  4. Enable audit logging — Log all file system access at the OS level on IoTDB hosts.

Detection

Indicators of Exploitation Attempts

Monitor for these patterns in IoTDB logs and network traffic:

GET /rest/v2/... containing: %2e%2e, ../, ..\

SIEM Query (Generic)

index=app_logs sourcetype=iotdb
| regex _raw="(\.\./|\.\.\\\\|%2e%2e)"
| table _time, src_ip, uri, status
| sort -_time

File Integrity Monitoring

Alert on unexpected reads or writes to files outside the configured IoTDB data directory (iotdb.data.dirs).


Dual-CVE Patching Checklist

Both vulnerabilities were disclosed simultaneously. Use this checklist to ensure complete remediation:

  • Identify IoTDB version across all environments (dev, staging, prod)
  • For 1.x users: upgrade to 1.3.6 (fixes both CVE-2025-55017 and CVE-2025-64152)
  • For 2.x users: upgrade to 2.0.7 (fixes both CVEs — 2.0.6 only fixes CVE-2025-55017)
  • Verify the running version post-upgrade with show version; in IoTDB CLI
  • Review network access controls — IoTDB should not be internet-facing
  • Check for evidence of exploitation in IoTDB access logs

Timeline

DateEvent
Prior to June 2025Both vulnerabilities exist in Apache IoTDB codebase
June 26, 2025CVE-2025-64152 published by NVD (CVSS 9.1)
June 26, 2025CVE-2025-55017 published simultaneously
June 27, 2026CosmicBytez Labs advisory published

Sources

  • NVD — CVE-2025-64152
  • Apache IoTDB Project

Related Advisories

  • CVE-2025-55017: Apache IoTDB Path Traversal (CVSS 9.1)
#Vulnerability#CVE#Apache#IoTDB#Path Traversal#ICS#Security Updates

Related Articles

CVE-2025-55017: Apache IoTDB Critical Path Traversal Vulnerability

Critical path traversal vulnerability (CVSS 9.1) in Apache IoTDB affects versions 1.0.0 through 1.3.5 and 2.0.0 through 2.0.5. Users must upgrade...

4 min read

CVE-2026-35392: Critical Path Traversal in goshs Go HTTP

A critical CVSS 9.8 path traversal vulnerability in goshs, a SimpleHTTPServer written in Go, allows unauthenticated attackers to write arbitrary files via...

4 min read

CVE-2026-14198: Fastify Middie Middleware Path Bypass (CVSS 9.1)

Critical path bypass vulnerability in @fastify/middie versions 9.1.0 through 9.3.2 allows attackers to evade middleware protection by exploiting a %2F...

5 min read
Back to all Security Alerts