Incorrect Authorization Vulnerability in Apache Cassandra

CVE-2025-24860

What is CVE-2025-24860?

CVE-2025-24860 is an incorrect authorization vulnerability in Apache Cassandra, a highly scalable and distributed NoSQL database known for handling large amounts of data across many servers. This vulnerability allows unauthorized users to access data centers or IP/CIDR groups that should be restricted, particularly through the usage of the CassandraNetworkAuthorizer or CassandraCIDRAuthorizer. Organizations relying on Apache Cassandra for managing critical data could face significant risks, including unauthorized data access and potential data breaches.

Technical Details

The vulnerability exists in specific versions of Apache Cassandra, spanning from version 4.0.0 to 4.0.15 and from 4.1.0 to 4.1.7 for the CassandraNetworkAuthorizer as well as from version 5.0.0 to 5.0.2 for both the CassandraNetworkAuthorizer and CassandraCIDRAuthorizer. The issue arises when users with restricted access are still able to alter their permissions through Data Control Language (DCL) statements. This flaw could potentially allow users to manipulate access controls and gain unauthorized privileges within the database environment.

Potential impact of CVE-2025-24860

1. Unauthorized Data Access: The most immediate concern is the risk of users gaining access to sensitive data that they are not entitled to view or manipulate, leading to data breaches and compromised data integrity.

2. Data Manipulation Risks: Users may exploit this vulnerability to change their access permissions, thereby enabling them to make unauthorized updates or deletions of critical information, which could disrupt business operations.

3. Compliance and Legal Issues: Organizations that fail to secure their databases against such vulnerabilities may face regulatory scrutiny and legal ramifications, particularly if exposed data involves personally identifiable information (PII) or breaches compliance with standards such as GDPR or HIPAA.

References