CVE-2025-1385 HIGH

CVE-2025-1385: Fail input validation in clickhouse-library-bridge API could lead to RCE under specific configuration

Vendor Clickhouse
Product ClickHouse OSS
Weakness CWE-20 · Input validation
Published March 20, 2025
Last update March 20, 2025
View on NVD All CVEs

CVSS base score

7.5/10
Attack vector Network
Attack complexity High
Privileges required High
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

When the library bridge feature is enabled, the clickhouse-library-bridge exposes an HTTP API on localhost. This allows clickhouse-server to dynamically load a library from a specified path and execute it in an isolated process. Combined with the ClickHouse table engine functionality that permits file uploads to specific directories, a misconfigured server can be exploited by an attacker with privilege to access to both table engines to execute arbitrary code on the ClickHouse server. You can check if your ClickHouse server is vulnerable to this vulnerability by inspecting the configuration file and confirming if the following setting is enabled: <library_bridge> <port>9019</port> </library_bridge>

Key dates

02Disclosure timeline

March 20, 2025 CVE published
March 20, 2025 Record updated