A significant security vulnerability has been identified in Apache NiFi, allowing potential attackers with specific access privileges to expose MongoDB authentication credentials.
The vulnerability, tracked as CVE-2025-27017 (NIFI-14272), affects multiple versions of the Apache NiFi data processing system and could potentially lead to unauthorized database access in affected deployments.
The vulnerability stems from Apache NiFi’s improper handling of authentication credentials in its provenance event logging functionality.
The security flaw exists in Apache NiFi versions 1.13.0 through 2.2.0, where the system inadvertently includes MongoDB usernames and passwords in the provenance events generated during data processing operations.
Provenance events in NiFi are detailed records of data lineage that track the history of data as it moves through the system’s workflow.
These events, meant to provide transparency and auditability, were unintentionally exposing sensitive authentication information. Security researcher Robert Creese discovered the vulnerability and reported it through proper channels.
The issue is specifically concerning because any authorized NiFi user with read access to provenance events could potentially view these MongoDB credentials.
This exposure creates a significant security risk, as compromised database credentials could lead to unauthorized data access, manipulation, or exfiltration of sensitive information stored in MongoDB databases connected to the NiFi instance.
| Risk Factors | Details |
| Affected Products | Apache NiFi versions 1.13.0 through 2.2.0 Package: org.apache.nifi:nifi-mongodb-services-nar Version range: >= 1.13.0, < 2.3.0 Apache NiFi 2.3.0 is unaffected |
| Impact | Exposure of MongoDB usernames and passwords in provenance events |
| Exploit Prerequisites | Authorized NiFi use, read access to provenance events |
| CVSS 3.0 Score | 6.5 (Medium Severity) |
Organizations using affected versions of Apache NiFi in conjunction with MongoDB face a potential security risk if unauthorized parties gain access to provenance records.
The exposure of database credentials could compromise the confidentiality and integrity of data managed through these systems. The vulnerability is particularly concerning for organizations in regulated industries or those handling sensitive information.
Apache has addressed this issue in the latest release of NiFi. Version 2.3.0, which is unaffected by this vulnerability, properly removes credentials from provenance event records.
The official recommendation from the Apache NiFi team is to upgrade immediately to version 2.3.0 to mitigate this risk.
For organizations unable to upgrade immediately, implementing strict access controls for provenance data and conducting security audits to detect potential credential exposure are recommended as temporary measures.
Additionally, organizations should consider rotating MongoDB credentials after upgrading to ensure previously exposed credentials can no longer be used for unauthorized access.
This vulnerability serves as a reminder of the importance of comprehensive security auditing across all components of data processing systems, particularly focusing on how authentication credentials are handled throughout the application lifecycle.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
Kali Linux users worldwide are facing an imminent disruption as the security-focused distribution has announced…
In a significant shift observed during the first quarter of 2025, cybersecurity experts have documented…
The cybersecurity landscape is witnessing a significant shift as threat actors increasingly leverage Ransomware as…
Senior members of the World Uyghur Congress (WUC) living in exile became targets of a…
A new Ransomware-as-a-Service (RaaS) group called RansomHub emerged in the cybercriminal ecosystem, specializing in targeting…
SAP released an emergency out-of-band patch addressing CVE-2025-31324, a critical zero-day vulnerability in SAP NetWeaver…