CVE-2025-1385

Published: Mar 20, 2025

Modified: Mar 20, 2025

PUBLISHED

Description

When the library bridge feature is enabled, the clickhouse-library-bridge exposes an HTTP API on localhost. This allows clickhouse-server to dynamically load a library from a specified path and execute it in an isolated process. Combined with the ClickHouse table engine functionality that permits file uploads to specific directories, a misconfigured server can be exploited by an attacker with privilege to access to both table engines to execute arbitrary code on the ClickHouse server. You can check if your ClickHouse server is vulnerable to this vulnerability by inspecting the configuration file and confirming if the following setting is enabled: <library_bridge> <port>9019</port> </library_bridge>

Vendor	Product	Versions
ClickHouse	ClickHouse OSS	affected `24.3 - < 24.3.18.6` affected `24.8 - < 24.8.14.27` affected `24.11 - < 24.11.5.34` affected `24.12 - < 24.12.5.65` affected `25.1 - < 25.1.5.5`

Weaknesses (CWE)

CWE-20

References

https://github.com/ClickHouse/ClickHouse/security/advisories/GHSA-5phv-x8x4-83x5

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-1385

Description

Affected Products

Weaknesses (CWE)

References