CVE-2025-2298: Unauthorized deletion of data lake files

c8y_security · April 23, 2025, 10:09am

Overview

A recent security vulnerability in the Dremio software used as part of Cumulocity DataHub was published with CVE-2025-2298.

The vulnerability allows users authenticated to Dremio to delete arbitrary files accessible from Dremio, including those stored in remote locations (AWS S3, Azure Datalake Storage, etc.)

Risk

The risk is that any authenticated Dremio user could potentially delete critical files, leading to:

Data loss: Deletion of data sources and connectors in Dremio.
Denial of service (DoS): Deletion of system or application files in Dremio.

It’s important to note that this vulnerability can only be exploited by authenticated Dremio users and only allows for file deletion, not viewing or editing. Cumulocity cloud products employ a container architecture limiting the likelihood of access to files outside of Dremio.

Impact on Cumulocity cloud customers

We confirm that the vulnerability has not been exploited yet on Cumulocity cloud platforms and have established a mitigation measure to block the connection to the vulnerable API.

Upgrades to a non-vulnerable version of DataHub will be gradually rolled out starting April 22nd, 2025.

In general, we recommend reviewing the credentials used for Dremio access and applying standard measures such as establishing a minimum complexity and regularly changing passwords.

Impact and recommended actions for Cumulocity data center and Edge customers

The following measures are recommended:

Review the installed Dremio credentials for complexity and change if needed.
Upgrade to a non-vulnerable datahub versions
Release 2024 : Datahub version 10.18.0.24.595 and later
Release 2025 : Datahub version 11.0.596 and later
and monitor the vulnerable API until then. For details on how to monitor the API, please contact Cumulocity support.

For users of Edge 2025, the Edge 2025.0.1 release will include the version of Datahub containing this fix. No further action is required beyond upgrading your Edge 2025 installation.

Note that Edge Appliance VM permits Dremio to access files on the host volume of the appliance VM. In this case, the vulnerability may not only be limited to data lake files.

References

Dremio security bulletin

In case of further questions, please do not hesitate to contact Cumulocity support.

Topic		Replies	Views
CVE-2025-30065: Remote code execution in Apache Parquet Important updates security	0	19	April 23, 2025
Should i connect the data lake to dremio or it is a public deployment Forum analytics , Streaming-Analytics-Apama , cumulocity	2	472	October 22, 2023
IoTDatahub integration with Azure datalake Forum cumulocity	3	336	August 27, 2023
How to connect dremio or datalake to microsoft sql server management studio Forum cumulocity	2	740	October 16, 2023
How can we offload the binary attached to an event to datahub Forum datahub , analytics , cumulocity	4	318	May 19, 2024