Cyber Posture

CVE-2025-66524

High

Published: 19 December 2025

Published
19 December 2025
Modified
08 January 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0024 47.7th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Apache NiFi 1.20.0 through 2.6.0 include the GetAsanaObject Processor, which requires integration with a configurable Distribute Map Cache Client Service for storing and retrieving state information. The GetAsanaObject Processor used generic Java Object serialization and deserialization without filtering. Unfiltered Java…

more

object deserialization does not provide protection against crafted state information stored in the cache server configured for GetAsanaObject. Exploitation requires an Apache NiFi system running with the GetAsanaObject Processor, and direct access to the configured cache server. Upgrading to Apache NiFi 2.7.0 is the recommended mitigation, which replaces Java Object serialization with JSON serialization. Removing the GetAsanaObject Processor located in the nifi-asana-processors-nar bundle also prevents exploitation.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Timely flaw remediation through upgrading Apache NiFi to 2.7.0 or removing the nifi-asana-processors-nar bundle directly eliminates the unfiltered Java deserialization vulnerability as recommended by the vendor.

CM-7 Least Functionality good match
prevent

Least functionality ensures only essential NiFi processors are enabled, preventing exploitation by disabling the unnecessary GetAsanaObject Processor.

SI-10 Information Input Validation partial match
prevent

Information input validation filters crafted state information retrieved from the Distributed Map Cache Client Service before deserialization, mitigating malicious payloads.

Security SummaryAI

CVE-2025-66524 is a high-severity vulnerability (CVSS 8.8) affecting Apache NiFi versions 1.20.0 through 2.6.0, specifically in the GetAsanaObject Processor from the nifi-asana-processors-nar bundle. This processor integrates with a configurable Distributed Map Cache Client Service to store and retrieve state information, but it employs unfiltered Java object serialization and deserialization (CWE-502). This lack of filtering exposes systems to risks from malicious payloads in the cached state data.

Exploitation requires an attacker to have low privileges (PR:L) and direct access to the configured cache server on an Apache NiFi instance running the GetAsanaObject Processor. The attack is feasible over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N), potentially leading to high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H). A crafted state object stored in the cache can trigger dangerous deserialization gadgets when processed by the NiFi instance.

Apache advisories recommend upgrading to NiFi 2.7.0, which mitigates the issue by replacing Java object serialization with JSON serialization. Alternatively, removing the GetAsanaObject Processor from the nifi-asana-processors-nar bundle prevents exploitation entirely. Details are available in the Apache mailing list announcement and oss-security posting.

Details

CWE(s)
CWE-502

Affected Products

apache
nifi
2.7.0 · 1.20.0 — 2.7.0

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
attack.mitre.org →
Why these techniques?

Deserialization vulnerability (CWE-502) enables low-privileged remote attackers to achieve RCE via malicious cache payloads, directly facilitating exploitation of remote services (T1210) and privilege escalation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References