Main Vulnerability Database Vulnerabilities #VU110016

Deserialization of Untrusted Data in Hadoop - CVE-2021-25642

Published: June 2, 2025

Vulnerability identifier: #VU110016

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2021-25642

CWE-ID: CWE-502

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Apache Foundation

Affected software:
Hadoop

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary code on the target system.

The vulnerability exists due to ZKConfigurationStore which is optionally used by CapacityScheduler of Apache Hadoop YARN deserializes data obtained from ZooKeeper without validation. A remote user with an access to ZooKeeper can run arbitrary commands as YARN user by exploiting this vulnerability.

How to mitigate CVE-2021-25642

Install updates from vendor's website.

Sources

https://lists.apache.org/thread/g6vf2h4wdgzzdgk91mqozhs58wotq150
https://security.netapp.com/advisory/ntap-20221201-0003/

Deserialization of Untrusted Data in Hadoop - CVE-2021-25642

Detailed vulnerability description

How to mitigate CVE-2021-25642

Sources

Please verify you're human