CVE-2021-25646 Apache Druid - RCE

Virsec Security Research Lab Vulnerability Analysis

The Virsec Security Research Lab provides timely, relevant analysis about recent and notable security vulnerabilities.

1.1        Vulnerability Summary

Apache Druid includes the ability to execute user-provided JavaScript code embedded in various types of requests. This functionality is intended for use in high-trust environments, and is disabled by default. However, in Druid 0.20.0 and earlier, it is possible for an authenticated user to send a specially-crafted request that forces Druid to run user-provided JavaScript code for that request, regardless of server configuration. This can be leveraged to execute code on the target machine with the privileges of the Druid server process.

CVE-2021-25646: Apache Druid (RCE). Virsec Risk index: 77%

Watch the video to learn more about this and other important vulnerabilities.

1.2        CVSS Score

The CVSS Base score of this vulnerability is 8.8 High as per NVD.


1.3        Affected Version

Apache Druid 0.20.0 and earlier.

1.4        Vulnerability Attribution

This vulnerability is reported by Litch1 from the Security Team of Alibaba Cloud.

1.5        Risk Impact

Druid is a column-oriented, open-source, distributed data store written in Java. Druid is designed to quickly ingest massive quantities of event data and provide low-latency queries on top of the data.

Druid is commonly used in business intelligence/OLAP applications to analyze high volumes of real-time and historical data. Druid is used in production by Top 100 technology companies such as AlibabaAirbnb, CiscoeBay, Lyft,  Netflix, PayPal, Pinterest, Twitter, Walmart, Wikimedia Foundation[10] and Yahoo.


Exploiting this vulnerability will allow an attacker to take over production machines or plant backdoor for exfiltration of critical company and customer information. There are no publicly available exploits.

1.6        Virsec Security Platform (VSP) Support:

  • VSP-Web capability can detect all types of command injection attack and prevent this vulnerability from being exploited.

  • VSP-Host monitors processes that are spawned which are not part of a set of whitelisted processes. Any attempt to execute a new command or unknown binary would be denied by VSP-Host’s Process Monitoring capability.


1.7        Reference Links:

Download the full vulnerability report to learn more about this and other important vulnerabilities.

Jump to: List of CVE Vulnerabilities

Do you have a request for a vulnerability Virsec Security Research Lab to explore? Let us know!

About the Author
Satya Gupta is Virsec’s visionary founder, with over 25 years of expertise in embedded systems, network security and systems architecture. Satya has helped build and guide the company through key growth phases from initial funding (2015), developing core technology with key partners including Raytheon and Lockheed (2016-2018), to launching an enterprise class, GA product (2019). Prior to this, Satya built a highly profitable software design and consulting business targeting data networking, application security and industrial automation projects. He was also Director of Firmware Engineering at Narad Networks and Managing Director and Chief Engineer at Eastern Telecom and Tech Ltd. Satya has more than 40 patents in complex firmware architecture with products deployed to hundreds of thousands of users. He holds a BS degree in Engineering from the Indian Institute of Technology in Kanpur and additional degrees from the University of Massachusetts at Lowell.