{"id":"CVE-2021-25646","details":"Apache Druid includes the ability to execute user-provided JavaScript code embedded in various types of requests. This functionality is intended for use in high-trust environments, and is disabled by default. However, in Druid 0.20.0 and earlier, it is possible for an authenticated user to send a specially-crafted request that forces Druid to run user-provided JavaScript code for that request, regardless of server configuration. This can be leveraged to execute code on the target machine with the privileges of the Druid server process.","aliases":["GHSA-wrqf-rrrw-w3mg"],"modified":"2026-04-10T04:31:05.930493Z","published":"2021-01-29T20:15:12.997Z","references":[{"type":"WEB","url":"https://lists.apache.org/thread.html/r20e0c3b10ae2c05a3aad40f1476713c45bdefc32c920b9986b941d8f%40%3Cannounce.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r443e2916c612fbd119839c0fc0729327d6031913a75081adac5b43ad%40%3Cdev.druid.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r4f84b542417ea46202867c0a8b3eaf3b4cfed30e09174a52122ba210%40%3Ccommits.druid.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r5ef625076982aee7d23c23f07717e626b73f421fba5154d1e4de15e1%40%3Ccommits.druid.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rfeb775822cd3baef1595b60f6860f5ca849eb1903236483f3297bd5c%40%3Ccommits.druid.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r04fa1ba93599487c95a8497044d37f8c02a439bfcf92b4567bfb7c8f%40%3Ccommits.druid.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r64431c2b97209f566b5dff92415e7afba0ed3bfab4695ebaa8a62e5d%40%3Cdev.druid.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r87aa94e28dd21ee2252d30c63f01ab9cb5474ee5bdd98dd8d7d734aa%40%3Ccommits.druid.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/ra4225912f501016bc5e0ac44e14b8d6779173a3a1dc7baacaabcc9ba%40%3Ccommits.druid.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r7dff4790e7a5c697fc0360adf11f5aeb31cd6ad80644fffee690673c%40%3Ccommits.druid.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r121abe8014d381943b63c60615149d40bde9dc1c868bcee90d0d0848%40%3Ccommits.druid.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rc167d5e57f3120578718a7a458ce3e73b3830ac4efbb1b085bd06b92%40%3Cdev.druid.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rea9436a4063927a567d698431ddae55e760c3f876c22ac5b9813685f%40%3Ccommits.druid.apache.org%3E"},{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2021/01/29/6"},{"type":"ADVISORY","url":"https://lists.apache.org/thread.html/rfda8a3aa6ac06a80c5cbfdeae0fc85f88a5984e32ea05e6dda46f866%40%3Cdev.druid.apache.org%3E"},{"type":"EVIDENCE","url":"http://packetstormsecurity.com/files/162345/Apache-Druid-0.20.0-Remote-Command-Execution.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/druid","events":[{"introduced":"0"},{"last_affected":"acdc6ee7ea3a81fb3e70b92d7cc682921f988eb5"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"0.20.0"}]}}],"versions":["druid-0.1.0","druid-0.1.1","druid-0.1.10","druid-0.1.11","druid-0.1.12","druid-0.1.13","druid-0.1.14","druid-0.1.2","druid-0.1.3","druid-0.1.4","druid-0.1.6","druid-0.1.7","druid-0.1.8","druid-0.1.9","druid-0.20.0","druid-0.20.0-rc2","druid-0.3.10","druid-0.3.11","druid-0.3.12","druid-0.3.13","druid-0.3.14","druid-0.3.15","druid-0.3.16","druid-0.3.18","druid-0.3.20","druid-0.3.21","druid-0.3.22","druid-0.3.24","druid-0.3.25","druid-0.3.27","druid-0.3.28","druid-0.3.29","druid-0.3.30","druid-0.3.31","druid-0.3.32","druid-0.3.33","druid-0.3.34","druid-0.3.4","druid-0.3.5","druid-0.3.6","druid-0.4.0","druid-0.4.1","druid-0.4.10","druid-0.4.11","druid-0.4.12","druid-0.4.15","druid-0.4.16","druid-0.4.17","druid-0.4.18","druid-0.4.19","druid-0.4.2","druid-0.4.20","druid-0.4.21","druid-0.4.22","druid-0.4.23","druid-0.4.24","druid-0.4.25","druid-0.4.26","druid-0.4.27","druid-0.4.28","druid-0.4.29","druid-0.4.3","druid-0.4.30","druid-0.4.31","druid-0.4.32","druid-0.4.5","druid-0.4.6","druid-0.4.7","druid-0.4.8","druid-0.4.9","druid-0.5.0","druid-0.5.1","druid-0.5.10","druid-0.5.11","druid-0.5.13","druid-0.5.14","druid-0.5.15","druid-0.5.16","druid-0.5.17","druid-0.5.18","druid-0.5.19","druid-0.5.2","druid-0.5.20","druid-0.5.21","druid-0.5.22","druid-0.5.23","druid-0.5.24","druid-0.5.25","druid-0.5.26","druid-0.5.27","druid-0.5.29","druid-0.5.3","druid-0.5.30","druid-0.5.31","druid-0.5.32","druid-0.5.33","druid-0.5.34","druid-0.5.35","druid-0.5.38","druid-0.5.39","druid-0.5.41","druid-0.5.42","druid-0.5.43","druid-0.5.44","druid-0.5.45","druid-0.5.46","druid-0.5.47","druid-0.5.48","druid-0.5.49","druid-0.5.5","druid-0.5.51","druid-0.5.52","druid-0.5.53","druid-0.5.54","druid-0.5.56","druid-0.5.57","druid-0.5.58","druid-0.5.7","druid-0.5.8","druid-0.5.9","druid-0.6.0","druid-0.6.1","druid-0.6.10","druid-0.6.100","druid-0.6.101","druid-0.6.102","druid-0.6.103","druid-0.6.104","druid-0.6.105","druid-0.6.106","druid-0.6.107","druid-0.6.108","druid-0.6.109","druid-0.6.11","druid-0.6.110","druid-0.6.111","druid-0.6.112","druid-0.6.113","druid-0.6.114","druid-0.6.115","druid-0.6.116","druid-0.6.117","druid-0.6.118","druid-0.6.119","druid-0.6.12","druid-0.6.120","druid-0.6.121","druid-0.6.122","druid-0.6.123","druid-0.6.124","druid-0.6.125","druid-0.6.126","druid-0.6.127","druid-0.6.128","druid-0.6.129","druid-0.6.13","druid-0.6.130","druid-0.6.131","druid-0.6.132","druid-0.6.133","druid-0.6.134","druid-0.6.135","druid-0.6.136","druid-0.6.137","druid-0.6.138","druid-0.6.139","druid-0.6.14","druid-0.6.140","druid-0.6.141","druid-0.6.142","druid-0.6.143","druid-0.6.144","druid-0.6.145","druid-0.6.146","druid-0.6.147","druid-0.6.148","druid-0.6.149","druid-0.6.15","druid-0.6.150","druid-0.6.151","druid-0.6.152","druid-0.6.153","druid-0.6.154","druid-0.6.155","druid-0.6.156","druid-0.6.157","druid-0.6.158","druid-0.6.159","druid-0.6.16","druid-0.6.160","druid-0.6.17","druid-0.6.18","druid-0.6.19","druid-0.6.2","druid-0.6.20","druid-0.6.21","druid-0.6.22","druid-0.6.23","druid-0.6.24","druid-0.6.25","druid-0.6.26","druid-0.6.27","druid-0.6.28","druid-0.6.29","druid-0.6.3","druid-0.6.30","druid-0.6.31","druid-0.6.32","druid-0.6.33","druid-0.6.34","druid-0.6.35","druid-0.6.36","druid-0.6.37","druid-0.6.38","druid-0.6.39","druid-0.6.4","druid-0.6.40","druid-0.6.41","druid-0.6.42","druid-0.6.45","druid-0.6.46","druid-0.6.47","druid-0.6.48","druid-0.6.49","druid-0.6.5","druid-0.6.50","druid-0.6.51","druid-0.6.52","druid-0.6.53","druid-0.6.54","druid-0.6.55","druid-0.6.56","druid-0.6.57","druid-0.6.58","druid-0.6.59","druid-0.6.60","druid-0.6.61","druid-0.6.62","druid-0.6.63","druid-0.6.64","druid-0.6.65","druid-0.6.66","druid-0.6.68","druid-0.6.69","druid-0.6.7","druid-0.6.70","druid-0.6.71","druid-0.6.72","druid-0.6.73","druid-0.6.74","druid-0.6.75","druid-0.6.76","druid-0.6.77","druid-0.6.78","druid-0.6.79","druid-0.6.8","druid-0.6.81","druid-0.6.82","druid-0.6.83","druid-0.6.84","druid-0.6.85","druid-0.6.86","druid-0.6.87","druid-0.6.88","druid-0.6.89","druid-0.6.9","druid-0.6.90","druid-0.6.91","druid-0.6.92","druid-0.6.93","druid-0.6.94","druid-0.6.95","druid-0.6.96","druid-0.6.97","druid-0.6.98","druid-0.6.99","druid-0.7.0","druid-0.7.0-rc1","druid-0.7.0-rc2","druid-0.7.0-rc3","druid-0.7.1","druid-0.7.1-rc1","druid-0.8.0-rc1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-25646.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}