Homepage

SQL Injection Affecting org.apache.hive:hive-standalone-metastore-server package, versions [,4.2.0)

Severity

 Recommended
0.0
high
0
10

CVSS assessment by Snyk's Security Team. Learn more

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about SQL Injection vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-JAVA-ORGAPACHEHIVE-14136073
  • published27 Nov 2025
  • disclosed26 Nov 2025
  • creditWuKong
Report a new vulnerability Found a mistake?

Introduced: 26 Nov 2025

NewCVE-2025-62728  (opens in a new tab)
CWE-89  (opens in a new tab)

How to fix?

Upgrade org.apache.hive:hive-standalone-metastore-server to version 4.2.0 or higher.

Overview

Affected versions of this package are vulnerable to SQL Injection via the processing of delete column statistics requests through the HMS Thrift APIs. An attacker can execute arbitrary SQL commands by sending specially crafted requests to the affected API endpoints. This is only exploitable if the attacker is a trusted or authorized user/application with direct access to the Thrift APIs, and if the metastore.try.direct.sql property is set to true.

Workaround

This vulnerability can be mitigated by setting the metastore.try.direct.sql property to false.

CVSS Base Scores

version 4.0
version 3.1