Server-Side Request Forgery Vulnerability in Apache EventMesh Runtime
CVE-2024-39954

6.3MEDIUM

Key Information:

Vendor: Apache
Status: Apache Eventmesh Runtime
Vendor: CVE Published:; 20 August 2025

What is CVE-2024-39954?

A Server-Side Request Forgery (SSRF) vulnerability exists in the eventmesh-runtime module of Apache EventMesh. This flaw allows attackers to exploit server functionalities to access or modify internal resources on Windows, Linux, and Mac OS platforms. Users should upgrade to version 1.12.0 or utilize the master branch to mitigate this issue effectively.

Affected Version(s)

Apache EventMesh Runtime 1.6.0 <= 1.11.0

References

https://lists.apache.org/thread/v6c96zygqx8xc2k3n2d59mgnm...

vendor-advisory

CVSS V3.1

Score:

6.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 20, 2025
Vulnerability Reserved
Jul 5, 2024

Credit

Mak1r 808 <[email protected]>