[Security] Critical Vulnerabilities in Embedded Dependencies of Nacos-Server v3.0.2 (Tomcat/httpclient5) #13711
Description
Dear Nacos Team,
Security scans of the latest nacos-server v3.0.2 (deployed in our environment bpm-nbs-docker-dev-1) using JFrog Xray revealed 19 vulnerabilities, including 7 critical/high-severity issues. The most severe vulnerabilities stem from outdated dependencies—specifically org.apache.tomcat.embed:tomcat-embed-core and org.apache.httpcomponents.client5:httpclient5—which expose deployments to exploitation risks such as authentication bypass and remote code execution (RCE) .
🔍 Key Findings
1.
Core Vulnerable Dependencies:
•
tomcat-embed-core:10.1.39 (5 vulnerabilities, 2 critical)
•
httpclient5:5.4.2 (2 vulnerabilities, 1 critical)
2.
Critical Issues Summary:
CVE ID Component CVSS Context Fix Version Risk Description
CVE-2025-49125 tomcat-embed-core 9.8 Applicable 10.1.42 Authentication bypass via malformed HTTP headers (CWE-288)
CVE-2025-48988 tomcat-embed-core 7.5 Not Applicable 10.1.42 Resource exhaustion leading to DoS (CWE-770)
CVE-2025-27820 httpclient5 9.1 Applicable 5.4.3 TLS handshake bypass via cookie validation flaw (CWE-295)
•
Exploitable Scenarios:
Attackers can leverage Applicable vulnerabilities to:
•
Bypass Tomcat authentication (CVE-2025-49125) → Hijack admin sessions or modify configurations.
•
Disable TLS validation in httpclient5 (CVE-2025-27820) → Perform MITM attacks on cluster communications (e.g., Jraft on port 7848) .
•
Trigger RCE via deserialization gadgets in dependent libraries (observed in historical Nacos vulnerabilities ).
🛠️ Requested Actions
1.
Urgent Dependency Upgrades:
•
Upgrade tomcat-embed-core from 10.1.39 → 10.1.42 (fixes CVE-2025-49125/CVE-2025-48988).
•
Upgrade httpclient5 from 5.4.2 → 5.4.3 (fixes CVE-2025-27820).
2.
Long-term Security Enhancements:
•
Introduce a Dependency Bill of Materials (BOM) to track transitive dependencies and automate vulnerability scanning (e.g., OWASP Dependency-Check) in the release pipeline .
•
Extend Nacos’ built-in security audits to cover embedded third-party libraries (e.g., scanning for known CVEs during image builds).
📎 Evidence & Reproduction
Attached full vulnerability reports from Xray scans:
– Confirms scan completion and Applicable status for critical issues.
2.
– Lists all 19 vulnerabilities, including:
| Component | CVE ID | Severity | Fix Version | Context |
|---|---|---|---|---|
| tomcat-embed-core:10.1.39 | CVE-2025-49125 | Critical | 10.1.42 | Applicable |
| httpclient5:5.4.2 | CVE-2025-27820 | Critical | 5.4.3 | Applicable |
| 💡 Why This Matters | ||||
| These vulnerabilities impact all Nacos v3.0.2 deployments, especially: |
•
Cluster-based installations exposed to internal network attacks via Jraft (port 7848) .
•
Environments requiring compliance with standards like GDPR/HIPAA (due to data leakage risks).
We appreciate your work on Nacos and urge prioritization of these security fixes.
Next Steps:
•
Confirm receipt and triage priority.
•
Track progress via Nacos GitHub Issues.
✒️ Note: Temporary mitigation steps (e.g., dependency overrides) are documented in this gist.
Let’s collaborate to fortify Nacos’ security posture! 🔒
Attachments:
Docker_07d5dd5_Scan_Status.csv
Docker_07d5dd5_Security_Export.csv