CVE-2024-27348

What is Apache HugeGraph-Server?

Apache HugeGraph is an open-source graph database system originally developed at Baidu and donated to the Apache Software Foundation. HugeGraph-Server is the core server component, providing a graph database engine and REST API based on the Apache TinkerPop Gremlin graph traversal language. It is used for social network analysis, knowledge graphs, fraud detection, and other applications requiring graph-structured data. HugeGraph instances are sometimes exposed directly to the internet or internal networks without adequate access control, as the API is designed to be accessible to application developers and analysts.

Overview

CVE-2024-27348 is an improper access control vulnerability (CWE-284) in Apache HugeGraph-Server that allows an unauthenticated remote attacker to execute arbitrary code. The vulnerability is in the Gremlin API endpoint — HugeGraph's graph traversal interface. When HugeGraph-Server is running without authentication enabled (which is the default in some configurations), or when the access control for the Gremlin API is insufficiently enforced, an attacker can submit Gremlin queries that invoke Java execution functions, achieving remote code execution on the server hosting HugeGraph. CISA added it to the KEV catalog in September 2024, five months after the April 2024 patch, confirming sustained exploitation of internet-exposed instances.

Affected Versions

Technical Details

The improper access control (CWE-284) affects the HugeGraph Gremlin API endpoint (/gremlin or via the REST API). The Gremlin language is a graph traversal query language that also supports executing Java code through its scripting engine (Groovy-based in TinkerPop implementations). This is intentional for flexibility, but it means that unrestricted access to the Gremlin endpoint is equivalent to unrestricted code execution.

Attack vector:

1. Attacker sends a POST request to the HugeGraph Gremlin API endpoint
2. The Gremlin query includes a Java code execution invocation, such as:

   Thread.currentThread().getContextClassLoader().loadClass("java.lang.Runtime").getMethod("exec", String.class).invoke(Thread.currentThread().getContextClassLoader().loadClass("java.lang.Runtime").getMethod("getRuntime").invoke(null), "id")
   

3. HugeGraph-Server processes the query and executes the embedded Java code
4. The attacker receives command output or establishes a reverse shell

Default configuration risk: HugeGraph-Server in many versions did not require authentication by default, or had a simple admin account with a default password. Organizations that deployed HugeGraph without hardening the API access are directly exploitable.

1.3.0 mitigations: The 1.3.0 release added authentication enforcement for the Gremlin API and restricted the Java classes available to Gremlin scripts, reducing the exploitable attack surface.

Discovery

The vulnerability was identified through security research on Apache HugeGraph's Gremlin API. The combination of internet-exposed HugeGraph instances and the Gremlin endpoint's inherent code execution capability made this a notable target.

Exploitation Context

CISA added CVE-2024-27348 to the KEV catalog on September 18, 2024, five months after the April 2024 fix. The delay reflects the niche nature of HugeGraph: fewer organizations run it compared to major enterprise products, but those that do may have overlooked patching a graph database component. Security researchers documented mass scanning for HugeGraph REST API endpoints and Gremlin query interfaces following public disclosure, with exploitation occurring against internet-facing HugeGraph instances.

Remediation

1. Upgrade to Apache HugeGraph-Server 1.3.0 or later immediately. The CISA deadline was October 9, 2024.
2. Enable authentication on the HugeGraph REST API — HugeGraph 1.3.0 supports authentication via the gremlin-driver connection settings; ensure auth.authenticator is configured.
3. Restrict network access to HugeGraph — the HugeGraph REST API (default port 8080) and Gremlin server (default port 8182) should only be accessible from application servers and authorized clients, not from the internet or general enterprise networks.
4. Disable Gremlin script execution if graph traversal queries are sufficient — configure HugeGraph to restrict the Gremlin engine to disallow Java class invocations.
5. Rotate HugeGraph admin credentials if the default credentials were in use.
6. Audit HugeGraph access logs for Gremlin API requests containing Java class invocations, exec, Runtime, or Process references from the April–September 2024 exposure window.