CVE-2025-58337

MEDIUM EPSS 21.5%

Published Nov 5, 20257mo ago · Modified Jun 17, 20261w ago

5.4 CVSS 3.1

Medium

Published Nov 5, 2025 7mo ago

Last Modified Jun 17, 2026 1w ago

Description

An attacker with a valid read-only account can bypass Doris MCP Server’s read-only mode due to improper access control, allowing modifications that should have been prevented by read-only restrictions. Impact: Bypasses read-only mode; attackers with read-only access may perform unauthorized modifications. Recommended action for operators: Upgrade to version 0.6.0 as soon as possible (this release contains the fix).

CVSS Details

Base Score

5.4

Exploitability

2.8

Impact

2.5

Vector string

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Attack Vector Network

Attack Complexity Low

Privileges Required Low

User Interaction None

Scope Unchanged

Confidentiality Low

Integrity Low

Availability None

Threat Intelligence

EPSS Exploit Probability

21.5% percentile

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 1

CWE-284

Affected Products 1

Vendor	Product	Version	Range
apache	doris_mcp_server	*	<0.6.0

References 2

openwall.com http://www.openwall.com/lists/oss-security/2025/11/04/5

Mailing ListThird Party Advisory
lists.apache.org https://lists.apache.org/thread/6tswlphj0pqn9zf25594r3c1vzvfj40h

Mailing ListVendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.