A newly discovered vulnerability in Apache Cassandra, identified as CVE-2025-24860, allows attackers to bypass authorization mechanisms, potentially gaining unauthorized access to data centers or network regions. This flaw affects several versions of the popular distributed database system, specifically versions 4.0.0 to 4.0.15, 4.1.0 to 4.1.7, and 5.0.0 to 5.0.2. The vulnerability is related to the improper implementation of access controls in the CassandraNetworkAuthorizer and CassandraCIDRAuthorizer, which are responsible for restricting access to specific data centers or IP/CIDR groups.
The flaw enables users with restricted access to escalate their permissions by manipulating their access through data control language (DCL) statements. This issue could allow unauthorized users to bypass security measures, posing significant risks to the integrity and confidentiality of systems relying on Apache Cassandra.
The vulnerability particularly affects operators using the impacted versions with these authorizers and could lead to unauthorized access to critical data or systems.
To address this, operators are strongly advised to review their access controls and ensure that no security breaches have occurred due to this vulnerability. The Apache Cassandra development team has issued patched versions—4.0.16, 4.1.8, and 5.0.3—that resolve the flaw and restore proper authorization functionality. Users of affected versions are encouraged to upgrade to these secure versions immediately to mitigate the risk of exploitation.
The discovery of CVE-2025-24860 emphasizes the importance of conducting regular security audits and applying timely patches to distributed database systems like Apache Cassandra. Failure to do so could expose sensitive data to cyber threats. Users are encouraged to follow best security practices, such as keeping systems updated and closely monitoring access controls, to ensure the continued security of their databases and networks.