CVE-2021-25646 in Druidinfo

Summary

by MITRE • 01/30/2021

Apache Druid includes the ability to execute user-provided JavaScript code embedded in various types of requests. This functionality is intended for use in high-trust environments, and is disabled by default. However, in Druid 0.20.0 and earlier, it is possible for an authenticated user to send a specially-crafted request that forces Druid to run user-provided JavaScript code for that request, regardless of server configuration. This can be leveraged to execute code on the target machine with the privileges of the Druid server process.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 05/04/2025

Apache Druid vulnerability CVE-2021-25646 represents a critical server-side request forgery and remote code execution flaw that fundamentally undermines the security boundaries of the data processing platform. This vulnerability exists within Druid's query processing architecture where JavaScript execution capabilities are exposed to authenticated users despite being intended for high-trust environments only. The flaw stems from insufficient input validation and access control mechanisms that allow malicious actors to bypass default security configurations and inject arbitrary JavaScript code into query requests. The vulnerability is particularly dangerous because it affects Druid versions 0.20.0 and earlier, where the JavaScript execution feature remains enabled by default, creating a persistent attack surface that can be exploited by authenticated users regardless of server configuration settings. This represents a direct violation of the principle of least privilege and demonstrates a critical failure in the application's security model.

The technical implementation of this vulnerability exploits the underlying architecture where user-provided JavaScript code can be embedded within various types of requests, including but not limited to SQL queries, aggregations, and complex analytical operations. Attackers can craft specially crafted requests that manipulate the query parsing logic to execute arbitrary JavaScript code within the Druid server process context. The vulnerability is classified as a CWE-94: Improper Control of Generation of Code and corresponds to ATT&CK technique T1059.007: Command and Scripting Interpreter: JavaScript, which emphasizes the execution of malicious code through interpreted languages. The flaw specifically targets the server-side JavaScript engine that is designed to support complex analytical functions but becomes a vector for arbitrary code execution when proper input sanitization fails. The attack chain involves authentication, request crafting, and execution, where the authenticated user leverages the application's legitimate JavaScript execution capabilities to gain unauthorized code execution privileges.

The operational impact of CVE-2021-25646 extends far beyond simple privilege escalation, as it provides attackers with complete control over the Druid server process and potentially the underlying infrastructure. When exploited, this vulnerability allows attackers to execute code with the same privileges as the Druid service account, which typically has access to sensitive data, network resources, and system capabilities. The implications include data exfiltration, system compromise, lateral movement within the network, and potential disruption of critical analytical services. Organizations using Druid in production environments face significant risk as the vulnerability can be exploited without requiring special tools or advanced technical skills beyond basic understanding of the application's query interface. The attack surface is particularly concerning because Druid is commonly deployed in enterprise analytics environments where it processes sensitive business data, making the potential impact of exploitation severe and far-reaching.

Mitigation strategies for CVE-2021-25646 must address both immediate remediation and long-term architectural improvements to prevent similar vulnerabilities. Organizations should immediately upgrade to Druid version 0.21.0 or later where the vulnerability has been patched and the JavaScript execution feature is properly disabled by default. Additionally, administrators should implement strict network segmentation to limit access to Druid services, enforce multi-factor authentication for all user accounts, and conduct regular security audits of query interfaces. The patch addresses the core issue by implementing proper input validation and access control checks that prevent unauthorized JavaScript execution regardless of server configuration settings. Security teams should also consider implementing web application firewalls, monitoring for suspicious query patterns, and establishing automated alerting for unusual JavaScript execution attempts. This vulnerability highlights the importance of proper security testing and validation of application features, particularly those involving code execution capabilities, and demonstrates the necessity of maintaining current security practices aligned with industry standards such as those defined in the OWASP Top Ten and NIST cybersecurity frameworks.

Reservation

01/21/2021

Disclosure

01/30/2021

Moderation

accepted

CPE

ready

Exploit

Download

EPSS

0.99301

KEV

no

Activities

very low

Campaigns

1 (confirmed)

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!