Overview
Apache IoTDB carries a second critical path traversal vulnerability, tracked as CVE-2025-64152 with a CVSS v3.1 score of 9.1 (Critical). Disclosed the same day as CVE-2025-55017, this flaw affects a slightly wider range on the 2.x branch — up to and including 2.0.6 — meaning organizations that patched CVE-2025-55017 by upgrading only to 2.0.6 are still vulnerable and must upgrade again to 2.0.7.
Vulnerability Details
| Field | Details |
|---|---|
| CVE ID | CVE-2025-64152 |
| Vendor | Apache Software Foundation |
| Product | Apache IoTDB |
| Vulnerability Type | Path Traversal (CWE-22) |
| CVSS Score | 9.1 (Critical) |
| Affected Versions | 1.0.0 – 1.3.5; 2.0.0 – 2.0.6 |
| Fixed Versions | 1.3.6; 2.0.7 |
| Published | June 26, 2025 |
How CVE-2025-64152 Differs from CVE-2025-55017
Two path traversal CVEs were filed simultaneously for Apache IoTDB, indicating two distinct vulnerable code paths or components within the application:
| Attribute | CVE-2025-55017 | CVE-2025-64152 |
|---|---|---|
| CVSS Score | 9.1 | 9.1 |
| 1.x fix | 1.3.6 | 1.3.6 |
| 2.x fix | 2.0.6 | 2.0.7 |
| 2.x affected through | 2.0.5 | 2.0.6 |
The critical takeaway: 2.0.6 fixes CVE-2025-55017 but does NOT fix CVE-2025-64152. You must upgrade to 2.0.7 to close both vulnerabilities on the 2.x branch.
Technical Analysis
Nature of the Flaw
Like CVE-2025-55017, this vulnerability arises from improper neutralization of path traversal sequences in user-controlled input. The specific code path is distinct — it may reside in a different API endpoint, file handling routine, or module within IoTDB — but the impact class is identical: an attacker can use ../ sequences to escape the intended base directory and access arbitrary filesystem locations.
Exploitation Impact
Successful exploitation could enable:
- Unauthorized file read — Exfiltration of IoTDB configuration, schema definitions, or raw time-series data files
- Credential harvesting — Many IoTDB deployments store authentication credentials or connect to other systems with stored keys
- File write attacks — Overwriting critical files, potentially leading to code execution or denial of service
- OT/ICS data theft — Industrial sensor data, operational parameters, and process telemetry
Affected Environments
Apache IoTDB is commonly found in:
- Energy sector — Power generation, grid monitoring, metering infrastructure
- Manufacturing — Production line telemetry, quality control sensors
- Smart cities — Traffic monitoring, environmental sensors, utility management
- Healthcare IoT — Medical device telemetry and patient monitoring aggregation
Both CVEs are especially significant in OT/ICS environments where patching windows are narrow and network segmentation may be the primary mitigating control.
Remediation
Required Upgrade Targets
| Branch | Affected Versions | Minimum Safe Version |
|---|---|---|
| 1.x | 1.0.0 – 1.3.5 | 1.3.6 |
| 2.x | 1.0.0 – 2.0.6 | 2.0.7 |
Warning: If you upgraded to 2.0.6 to address CVE-2025-55017, you are still exposed to CVE-2025-64152. Upgrade to 2.0.7 immediately.
Interim Mitigations
While scheduling the upgrade:
- Firewall IoTDB ports — Ensure the IoTDB Thrift API (default port 6667) and REST API (default port 18080) are not accessible from untrusted networks.
- Deploy a WAF rule — If IoTDB is exposed via a web proxy, add rules to block requests containing
../,%2e%2e, and similar traversal sequences. - Audit filesystem permissions — Restrict the IoTDB service account to the minimum required file system access.
- Enable audit logging — Log all file system access at the OS level on IoTDB hosts.
Detection
Indicators of Exploitation Attempts
Monitor for these patterns in IoTDB logs and network traffic:
GET /rest/v2/... containing: %2e%2e, ../, ..\
SIEM Query (Generic)
index=app_logs sourcetype=iotdb
| regex _raw="(\.\./|\.\.\\\\|%2e%2e)"
| table _time, src_ip, uri, status
| sort -_timeFile Integrity Monitoring
Alert on unexpected reads or writes to files outside the configured IoTDB data directory (iotdb.data.dirs).
Dual-CVE Patching Checklist
Both vulnerabilities were disclosed simultaneously. Use this checklist to ensure complete remediation:
- Identify IoTDB version across all environments (dev, staging, prod)
- For 1.x users: upgrade to 1.3.6 (fixes both CVE-2025-55017 and CVE-2025-64152)
- For 2.x users: upgrade to 2.0.7 (fixes both CVEs — 2.0.6 only fixes CVE-2025-55017)
- Verify the running version post-upgrade with
show version;in IoTDB CLI - Review network access controls — IoTDB should not be internet-facing
- Check for evidence of exploitation in IoTDB access logs
Timeline
| Date | Event |
|---|---|
| Prior to June 2025 | Both vulnerabilities exist in Apache IoTDB codebase |
| June 26, 2025 | CVE-2025-64152 published by NVD (CVSS 9.1) |
| June 26, 2025 | CVE-2025-55017 published simultaneously |
| June 27, 2026 | CosmicBytez Labs advisory published |