{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-66335", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2025-11-27T03:23:14.613Z", "datePublished": "2026-04-20T13:27:27.764Z", "dateUpdated": "2026-04-20T14:17:11.395Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache Doris MCP Server", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "0.6.1", "status": "affected", "version": "0.1.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "reporter", "value": "Tomer Peled, Senior Security Researcher at Akamai"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<div>Apache Doris MCP Server versions earlier than 0.6.1 are affected by an improper neutralization flaw in query context handling that may allow execution of unintended SQL statements and bypass of intended query validation and access restrictions through the MCP query execution interface. Version 0.6.1 and later are not affected.\n</div><br>"}], "value": "Apache Doris MCP Server versions earlier than 0.6.1 are affected by an improper neutralization flaw in query context handling that may allow execution of unintended SQL statements and bypass of intended query validation and access restrictions through the MCP query execution interface. Version 0.6.1 and later are not affected."}], "metrics": [{"other": {"content": {"text": "moderate"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-04-20T13:27:27.764Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/odp0fyyst8kxm7hhm9z4d1snh1y4hjpy"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache Doris MCP Server: MCP SQL inject", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/04/17/4"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-20T13:38:34.416Z"}}, {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-20T14:17:08.608951Z", "id": "CVE-2025-66335", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T14:17:11.395Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/04/17/4"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-20T13:38:34.416Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-66335", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-20T14:17:08.608951Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T14:17:05.675Z"}}], "cna": {"title": "Apache Doris MCP Server: MCP SQL inject", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "reporter", "value": "Tomer Peled, Senior Security Researcher at Akamai"}], "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "moderate"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache Doris MCP Server", "versions": [{"status": "affected", "version": "0.1.0", "lessThan": "0.6.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://lists.apache.org/thread/odp0fyyst8kxm7hhm9z4d1snh1y4hjpy", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Apache Doris MCP Server versions earlier than 0.6.1 are affected by an improper neutralization flaw in query context handling that may allow execution of unintended SQL statements and bypass of intended query validation and access restrictions through the MCP query execution interface. Version 0.6.1 and later are not affected.", "supportingMedia": [{"type": "text/html", "value": "<div>Apache Doris MCP Server versions earlier than 0.6.1 are affected by an improper neutralization flaw in query context handling that may allow execution of unintended SQL statements and bypass of intended query validation and access restrictions through the MCP query execution interface. Version 0.6.1 and later are not affected.\n</div><br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-04-20T13:27:27.764Z"}}}, "cveMetadata": {"cveId": "CVE-2025-66335", "state": "PUBLISHED", "dateUpdated": "2026-04-20T14:17:11.395Z", "dateReserved": "2025-11-27T03:23:14.613Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2026-04-20T13:27:27.764Z", "assignerShortName": "apache"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:doris_mcp_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "95766A2C-71CC-4CC7-9F95-501B6ACC1E2F", "versionEndExcluding": "0.6.1", "versionStartIncluding": "0.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Apache Doris MCP Server versions earlier than 0.6.1 are affected by an improper neutralization flaw in query context handling that may allow execution of unintended SQL statements and bypass of intended query validation and access restrictions through the MCP query execution interface. Version 0.6.1 and later are not affected."}], "id": "CVE-2025-66335", "lastModified": "2026-04-22T14:17:06.960", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-20T14:16:16.760", "references": [{"source": "security@apache.org", "tags": ["Vendor Advisory"], "url": "https://lists.apache.org/thread/odp0fyyst8kxm7hhm9z4d1snh1y4hjpy"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List"], "url": "http://www.openwall.com/lists/oss-security/2026/04/17/4"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security@apache.org", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.1.0,0.6.1)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Apache Doris MCP Server", "source": "cna", "vendor": "Apache Software Foundation"}, "product": "doris_mcp_server", "vendor": "apache"}], "analysis": {"en": {"generated_at": "2026-04-20T16:30:56.412315+00:00", "value": {"mitigation_remediation": ["Upgrade Apache Doris MCP Server to version 0.6.1 or later to eliminate the SQL injection vulnerability.", "Block or restrict external access to the MCP query execution interface until a patch is applied.", "Enforce strict authentication and role-based authorization for all MCP queries and audit logs for suspicious activity."], "summary": {"action": "Immediate Upgrade", "impact": "SQL Injection"}, "threat_synthesis": {"affected_systems": "Apache Doris MCP Server, distributed by the Apache Software Foundation, is affected in all releases older than version 0.6.1. Versions 0.6.1 and newer do not contain this flaw. The vulnerability does not specify sub\u2011components or modules beyond the general MCP query interface, so any deployment of the affected server should be considered at risk.", "description_and_impact": "Apache Doris MCP Server contains an improper neutralization flaw in its query context handling that allows an attacker to inject SQL statements through the MCP query execution interface. The injected commands bypass the intended validation logic and can execute unintended queries, potentially enabling data exfiltration, unauthorized modification, or denial of service. This vulnerability is a classic example of CWE\u201189, where failure to properly sanitize user input leads to SQL injection.", "risk_and_exploitability": "The CVE metadata lists a CVSS score of 5.3 and an EPSS score that is not available, indicating a moderate severity vulnerability. The vulnerability is not listed in CISA\u2019s KEV catalog. The likely attack vector is remote over the network via the MCP query endpoint, which is typically accessible to external actors. Because the flaw resides in core query handling and no workaround is publicly documented, exploitation could be straightforward for an attacker with network access to the server. Monitoring for anomalous query activity and limiting exposure until a patch is applied remain prudent measures."}}}}, "created": "2026-04-20T15:30:06.047216+00:00", "updated": "2026-04-20T16:45:11.944785+00:00", "vendors": ["apache", "apache$PRODUCT$doris_mcp_server"]}