VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-dzkm-q626-pug7

Essentials
Severities (19)
References (9)
Severity details (16)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-dzkm-q626-pug7
Aliases	CVE-2025-61735 GHSA-f6m8-qm7j-fh65
Summary	Apache Kylin Server-Side Request Forgery (SSRF) Vulnerability Server-Side Request Forgery (SSRF) vulnerability in Apache Kylin. This issue affects Apache Kylin: from 4.0.0 through 5.0.2. You are fine as long as the Kylin's system and project admin access is well protected. Users are recommended to upgrade to version 5.0.3, which fixes the issue.
Status	Published
Exploitability	0.5
Weighted Severity	8.0
Risk	4.0
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-918	Server-Side Request Forgery (SSRF)
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
epss	0.001	https://api.first.org/data/v1/epss?cve=CVE-2025-61735
epss	0.001	https://api.first.org/data/v1/epss?cve=CVE-2025-61735
epss	0.00108	https://api.first.org/data/v1/epss?cve=CVE-2025-61735
cvssv3.1_qr	HIGH	https://github.com/advisories/GHSA-f6m8-qm7j-fh65
cvssv3.1	7.3	https://github.com/apache/kylin
generic_textual	HIGH	https://github.com/apache/kylin
cvssv3.1	7.3	https://github.com/apache/kylin/commit/22eb8fd5dfdeffa3fc57bae6d5c82a019eece662
generic_textual	HIGH	https://github.com/apache/kylin/commit/22eb8fd5dfdeffa3fc57bae6d5c82a019eece662
cvssv3.1	7.3	https://github.com/apache/kylin/pull/2332
generic_textual	HIGH	https://github.com/apache/kylin/pull/2332
cvssv3.1	7.3	https://issues.apache.org/jira/browse/KYLIN-6082
generic_textual	HIGH	https://issues.apache.org/jira/browse/KYLIN-6082
cvssv3.1	7.3	https://lists.apache.org/thread/yscobmx869zvprsykb94r24jtmb58ckh
generic_textual	HIGH	https://lists.apache.org/thread/yscobmx869zvprsykb94r24jtmb58ckh
ssvc	Track	https://lists.apache.org/thread/yscobmx869zvprsykb94r24jtmb58ckh
cvssv3.1	7.3	https://nvd.nist.gov/vuln/detail/CVE-2025-61735
generic_textual	HIGH	https://nvd.nist.gov/vuln/detail/CVE-2025-61735
cvssv3.1	7.3	http://www.openwall.com/lists/oss-security/2025/09/30/9
generic_textual	HIGH	http://www.openwall.com/lists/oss-security/2025/09/30/9

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2025-61735
		https://github.com/apache/kylin
		https://github.com/apache/kylin/commit/22eb8fd5dfdeffa3fc57bae6d5c82a019eece662
		https://github.com/apache/kylin/pull/2332
		https://issues.apache.org/jira/browse/KYLIN-6082
		https://lists.apache.org/thread/yscobmx869zvprsykb94r24jtmb58ckh
		http://www.openwall.com/lists/oss-security/2025/09/30/9
CVE-2025-61735		https://nvd.nist.gov/vuln/detail/CVE-2025-61735
GHSA-f6m8-qm7j-fh65		https://github.com/advisories/GHSA-f6m8-qm7j-fh65

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L Found at https://github.com/apache/kylin

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L Found at https://github.com/apache/kylin/commit/22eb8fd5dfdeffa3fc57bae6d5c82a019eece662

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L Found at https://github.com/apache/kylin/pull/2332

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L Found at https://issues.apache.org/jira/browse/KYLIN-6082

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L Found at https://lists.apache.org/thread/yscobmx869zvprsykb94r24jtmb58ckh

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-02T14:10:47Z/ Found at https://lists.apache.org/thread/yscobmx869zvprsykb94r24jtmb58ckh

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L Found at https://nvd.nist.gov/vuln/detail/CVE-2025-61735

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L Found at http://www.openwall.com/lists/oss-security/2025/09/30/9

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.27291
EPSS Score	0.001
Published At	June 5, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-06-02T04:48:01.223683+00:00	GitLab Importer	Import	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.kylin/kylin-ops-server/CVE-2025-61735.yml	38.6.0