8.8

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-26866

CVE-2025-26866: Apache HugeGraph-Server: RAFT and deserialization vulnerability

A remote code execution vulnerability exists where a malicious Raft node can exploit insecure Hessian deserialization within the PD store. The fix enforces IP-based authentication to restrict cluster membership and implements a strict class whitelist to harden the Hessian serialization process against object injection attacks.

Users are recommended to upgrade to version 1.7.0, which fixes the issue.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-26866

CVE-2025-26866:

8.8

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.apache.hugegraph:hg-pd-core	maven	< 1.7.0	1.7.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a remote code execution in Apache HugeGraph's PD (Placement Driver) component, which uses a Raft consensus algorithm for coordination. The root cause is twofold:

Insecure Deserialization: The org.apache.hugegraph.pd.raft.KVOperation.fromByteArray function uses Hessian to deserialize data for Raft log entries. Before the patch, it did not employ a class whitelist, making it vulnerable to deserialization attacks. An attacker could craft a malicious object that, upon deserialization, would execute arbitrary code on the server.
Missing Authentication: The Raft communication channel, set up by the org.apache.hugegraph.pd.raft.RaftEngine.createRaftRpcServer function, had no authentication. This allowed any unauthorized actor on the network to connect to the Raft cluster as a peer and submit data. This open access provided the entry point for an attacker to send the malicious serialized payload.

The patch addresses both issues. It introduces an IP-based authentication handler (IpAuthHandler) in the Raft RPC server to restrict access to only known peers in the cluster. Secondly, it implements a strict class whitelist (HugegraphHessianSerializerFactory) that is now used during Hessian deserialization in KVOperation.fromByteArray, ensuring only expected and safe classes can be deserialized. During an exploit, the createRaftRpcServer function would be called to establish the insecure connection, and KVOperation.fromByteArray would be the function that triggers the code execution when processing the malicious Raft entry.

Vulnerable functions

org.apache.hugegraph.pd.raft.KVOperation.fromByteArray

hugegraph-pd/hg-pd-core/src/main/java/org/apache/hugegraph/pd/raft/KVOperation.java

This function is responsible for deserializing a byte array into a KVOperation object using Hessian. In the vulnerable version, it did not use a whitelist, allowing for the deserialization of arbitrary classes. An attacker could craft a malicious byte array that, when deserialized by this function, would lead to remote code execution.

org.apache.hugegraph.pd.raft.RaftEngine.createRaftRpcServer

hugegraph-pd/hg-pd-core/src/main/java/org/apache/hugegraph/pd/raft/RaftEngine.java

This function creates the RPC server for Raft communication. The vulnerable version (with the signature `createRaftRpcServer(String)`) did not implement any authentication, allowing any remote machine to connect to the Raft network. This lack of authentication is what makes the deserialization vulnerability in `KVOperation.fromByteArray` remotely exploitable. The patch adds IP-based authentication by calling `configureRaftServerIpWhitelist`.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

8.8

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-26866: Apache HugeGraph-Server: RAFT and deserialization vulnerability

CVE-2025-26866:

8.8

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2025-26866: Apache HugeGraph-Server: RAFT and deserialization vulnerability

8.8

8.8

Technical Details

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI