CVE-2025-27017: Apache NiFi: Potential Insertion of MongoDB Password in Provenance Record

March 12, 2025

Apache NiFi 1.13.0 through 2.2.0 includes the username and password used to authenticate with MongoDB in the NiFi provenance events that MongoDB components generate during processing. An authorized user with read access to the provenance events of those processors may see the credentials information. Upgrading to Apache NiFi 2.3.0 is the recommended mitigation, which removes the credentials from provenance event records.

References

github.com/advisories/GHSA-35gq-cvrm-xf94
github.com/apache/nifi
github.com/apache/nifi/commit/48d684500f6ad70f65bfd510db054590c5bc74a9
issues.apache.org/jira/browse/NIFI-14272
lists.apache.org/thread/d4n5474jkhp82dvnht13pjtlfx7bhn5q
nvd.nist.gov/vuln/detail/CVE-2025-27017

Code Behaviors & Features

Detect and mitigate CVE-2025-27017 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →