CVE-2025-27446

Incorrect Permission Assignment for Critical Resource vulnerability in Apache APISIX(java-plugin-runner). Local listening file permissions in APISIX plugin runner allow a local attacker to elevate privileges. This issue affects Apache APISIX(java-plugin-runner): from 0.2.0 through 0.5.0. Users are recommended to upgrade to version 0.6.0 or higher, which fixes the issue.

CVSS v3 7.8 HIGH

7.8^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://lists.apache.org/thread/qwxnxolt0j5nvjfpr0mlz6h7nrtvyzng	Mailing List Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:apisix:*:*:*:*:*:*:*:*

History

14 Jul 2025, 18:10

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-07-06 06:15

Updated : 2025-07-14 18:10

NVD link : CVE-2025-27446

Mitre link : CVE-2025-27446

CVE.ORG link : CVE-2025-27446

JSON object : View

Products Affected

apache

apisix

CWE

CWE-732

Incorrect Permission Assignment for Critical Resource

7.8 /10