CVE-2021-25646 is a critical remote code execution vulnerability in Apache Druid (versions prior to 0.20.1), an open source distributed data store. The flaw arises from improper validation of JSON request bodies with empty keys, which allows attackers to override default configurations and force the execution of user-supplied JavaScript code, even when JavaScript execution is disabled in the server configuration. The vulnerability is rooted in a bug in the Jackson deserializer library used by Druid. Exploitation is possible via crafted requests to endpoints such as /druid/indexer/v1/sampler, leveraging JavaScript-based filters in the ingestion API to execute arbitrary system commands with the privileges of the Druid server process.
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
What an attacker gets, and what they’ve been doing with it.
If you can’t patch tonight, do this now.
Patch, then assume compromise.
6 valid exploits after Mallory filtered fakes, detection scripts, and README-only repos (2 hidden).
This repository contains a Python exploit script (druid_rce.py) and a README.md file. The exploit targets Apache Druid servers vulnerable to CVE-2021-25646 (versions prior to 0.20.1), which allows remote code execution via JavaScript code injection in sampler requests. The script takes a target URL and a shell command as arguments, crafts a malicious JSON payload that injects JavaScript into the Druid indexer API (/druid/indexer/v1/sampler), and executes the specified command on the target server. The output of the command is extracted from the API response and displayed to the user. The exploit requires the target Druid instance to be accessible over the network and the indexer API to be exposed. The code is operational and provides direct command execution capabilities, making it suitable for penetration testing and red teaming against vulnerable Druid deployments.
This repository is a Go-based proof-of-concept exploit for CVE-2021-25646, a critical remote code execution vulnerability in Apache Druid. The exploit consists of a main entry point (main.go) that provides an interactive shell interface, allowing the user to execute arbitrary commands on a vulnerable Druid server. The exploit works by sending a specially crafted JSON payload to the /druid/indexer/v1/sampler HTTP endpoint, abusing the indexer component's task API to inject and execute commands via Java's Runtime.exec. The payload is constructed in utils/payload.go and leverages a JavaScript function in the JSON to execute the supplied command and return its output. The exploit supports optional proxying and is designed for interactive use. The repository includes a README with usage instructions, technical details, and references. No weaponized or automated post-exploitation features are present; this is a functional proof-of-concept for manual exploitation.
This repository is an exploit and detection tool for Apache Druid CVE-2021-25646, a remote code execution vulnerability. The main logic resides in 'vul/druid/druidScan.go', which provides both detection and exploitation capabilities. The tool accepts a target (domain or IP:port) or a file with multiple targets, and sends a crafted POST request to the '/druid/indexer/v1/sampler' endpoint. The payload leverages a JavaScript function to execute arbitrary system commands on the server via Java's Runtime.exec. If no command is specified, it defaults to 'id' for detection; otherwise, any command (including reverse shell payloads) can be executed. The tool is written in Go, with supporting modules for colored output and file handling. The exploit is operational and can be used for both vulnerability scanning and actual exploitation, including obtaining a shell on the target system. No hardcoded IPs or domains are present; the tool is designed for user-supplied targets.
This repository contains a Python exploit script (CVE-2021-25646.py) targeting Apache Druid servers vulnerable to CVE-2021-25646. The exploit works by sending a crafted POST request to the '/druid/indexer/v1/sampler' endpoint of a Druid instance, injecting a user-supplied shell command into a JavaScript function executed by the server. The README provides usage instructions, including how to use the exploit to write and execute a reverse shell script on the target. The exploit is operational, allowing arbitrary command execution, and can be used for post-exploitation activities such as file manipulation or establishing a reverse shell. The main fingerprintable endpoint is the Druid API path '/druid/indexer/v1/sampler', and the exploit manipulates files such as '/tmp/1.sh' and '/etc/passwd' on the target system.
This repository contains a proof-of-concept (PoC) exploit for CVE-2021-25646, a remote code execution vulnerability in Apache Druid versions prior to 0.20.1. The exploit is implemented in Python (cve-2021-25646.py) and targets the /druid/indexer/v1/sampler HTTP endpoint, which is accessible without authentication in default Druid installations. The script sends a specially crafted JSON payload that leverages a JavaScript transform in the Druid ingestion spec to execute arbitrary system commands on the server. By default, it attempts to execute a 'ping' command to a DNS log domain (t6gx5w.dnslog.cn), allowing the attacker to verify successful code execution via DNS logs. The README.md provides usage instructions and context about the vulnerability. The exploit demonstrates RCE but does not provide a weaponized or post-exploitation payload; it is intended for verification and demonstration purposes.
This repository contains a Python exploit script (cve-2021-25646.py) targeting Apache Druid servers vulnerable to CVE-2021-25646 (versions < 0.20.1). The exploit leverages a vulnerability in the /druid/indexer/v1/sampler API endpoint, where user-supplied JavaScript code is executed in the context of the server, allowing arbitrary system command execution via java.lang.Runtime.getRuntime().exec(). The script accepts a target URL and a command to execute, constructs a malicious JSON payload, and sends it via HTTP POST to the vulnerable endpoint. The README provides usage instructions and references a proof-of-concept article. The exploit is operational, requiring the attacker to specify the target and command, and is capable of executing arbitrary commands on the server. No hardcoded IPs or domains are present, but the endpoint /druid/indexer/v1/sampler is fingerprintable. The repository is straightforward, containing only the exploit script and a README.
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.