CVE-2025-66524 HIGH

CVE-2025-66524: Apache NiFi: Deserialization of Untrusted Data in GetAsanaObject Processor

Vendor Apache Software Foundation

Product Apache NiFi

Weakness CWE-502 · Unsafe deserialization

Published December 19, 2025

Last update February 26, 2026

View on NVD All CVEs

CVSS base score

7.5/10

Attack vector Network

Attack complexity High

Privileges required High

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/AU:Y/R:U/V:C/RE:L/U:Green

What the vulnerability does

Description

Apache NiFi 1.20.0 through 2.6.0 include the GetAsanaObject Processor, which requires integration with a configurable Distribute Map Cache Client Service for storing and retrieving state information. The GetAsanaObject Processor used generic Java Object serialization and deserialization without filtering. Unfiltered Java object deserialization does not provide protection against crafted state information stored in the cache server configured for GetAsanaObject. Exploitation requires an Apache NiFi system running with the GetAsanaObject Processor, and direct access to the configured cache server. Upgrading to Apache NiFi 2.7.0 is the recommended mitigation, which replaces Java Object serialization with JSON serialization. Removing the GetAsanaObject Processor located in the nifi-asana-processors-nar bundle also prevents exploitation.

Key dates

Disclosure timeline

December 19, 2025 CVE published

February 26, 2026 Record updated

Identifiers

CVE CVE-2025-66524

CWE CWE-502

CVSS 7.5 / HIGH

Affected versions

Vendor Apache Software Foundation

Product Apache NiFi

Affected ≥ 1.20.0 and ≤ 2.6.0