Embargo Notice: Public disclosure of CVE-2025-2298 is held off until April 21, 2025.
Dremio Security Bulletin 2025-04-21-01
Abstract: An authenticated API endpoint allows arbitrary file deletion in Dremio Software.
CVSS Qualitative Rating:
Affected Releases:
- Dremio 24.3.0 through 24.3.17
- Dremio 24.4.0 through 24.4.1
- Dremio 25.0.0 through 25.0.15
- Dremio 25.1.0 through 25.1.8
- Dremio 25.2.0 through 25.2.5
Security Advisory: Improper Authorization Vulnerability
A vulnerability has been identified in Dremio Software affecting specific versions. The vulnerability allows only authenticated users to delete arbitrary files accessible by the system, including system files and those stored in remote locations (S3, Azure Blob Storage, local filesystems).
This vulnerability arises from insufficient access controls on an API endpoint, permitting authenticated users to delete files beyond their authorized scope. Exploitation could result in data loss, denial of service (DoS), and potential escalation of impact depending on the specific files deleted.
Exploitation of this vulnerability is unlikely, as the affected API endpoint was unused and discovered during a penetration test. It has since been deprecated and removed.
Resolution Actions:
Upgrade to a Fixed Release that resolves the issue.
- Dremio 24.3.18 and above
- Dremio 24.4.2 and above
- Dremio 25.0.16 and above
- Dremio 25.1.9 and above
- Dremio 25.2.6 and above
- Dremio 26.0.0 and above
If you have further questions, please contact Dremio Support via the Support Portal. Thank you for your continued support of Dremio.