Full Report
Apache, Alibaba databases vulnerable and only one has a patch
Analysis Summary
# Vulnerability: Multiple Flaws in Model Context Protocol (MCP) Database Servers
## CVE Details
- **CVE ID:** CVE-2025-66335 (Apache Doris); Unassigned (Apache Pinot & Alibaba RDS)
- **CVSS Score:** Not explicitly listed, but characterized as "Serious/Massive" (Estimated High/Critical)
- **CWE:** CWE-89 (SQL Injection), CWE-306 (Missing Authentication), CWE-200 (Information Exposure)
## Affected Systems
- **Products:**
1. Apache Doris MCP Server
2. Apache Pinot MCP Server
3. Alibaba RDS MCP Server
- **Versions:**
1. Apache Doris MCP: Versions prior to 0.6.1
2. Apache Pinot MCP: Versions 1.1.0 and earlier
3. Alibaba RDS MCP: All versions (Current)
- **Configurations:** Systems where the MCP endpoint is exposed to the internet or reachable by unauthenticated clients.
## Vulnerability Description
The flaws stem from a systemic lack of security validation between the Model Context Protocol (MCP) server—used to connect LLMs to data—and the database backend.
- **Apache Doris:** A SQL Injection flaw via the `exec_query` function. The server fails to validate the `db_name` parameter, allowing malicious SQL to be prepended to queries. The internal validator only checks the initial portion of the statement, bypassing security controls.
- **Apache Pinot:** A lack of authentication in the HTTP transport layer. Unauthenticated users can invoke tools intended for AI agents to run arbitrary queries.
- **Alibaba RDS:** Missing authentication and query validation for Retrieval-Augmented Generation (RAG) tools, allowing unauthenticated access to the vector index.
## Exploitation
- **Status:** PoC available (Research presented by Akamai); Vulnerabilities confirmed in codebase.
- **Complexity:** Low (minimal effort required for exfiltration/injection).
- **Attack Vector:** Network (Remote).
## Impact
- **Confidentiality:** High (Exfiltration of sensitive metadata, schemas, and table names).
- **Integrity:** High (Execution of unintended SQL statements and arbitrary commands).
- **Availability:** High (Potential for full database takeover).
## Remediation
### Patches
- **Apache Doris:** Update to **version 0.6.1** or later.
- **Apache Pinot:** Update to **version 2.0.0** (includes OAuth support).
- **Alibaba RDS:** **No patch available.** The vendor declined to fix the issue, designating it as "not applicable."
### Workarounds
- **Network Segmentation:** Ensure MCP endpoints are not exposed to the public internet.
- **Access Control:** Implement a reverse proxy or firewall to enforce authentication before requests reach the MCP server.
- **Credential Management:** For Pinot, manually enable OAuth authentication options.
## Detection
- **Indicators of Compromise:** Unusual SQL patterns in database logs, specifically those prepending commands to the `db_name` parameter. Unauthenticated requests to RAG or `exec_query` endpoints.
- **Detection methods:** Monitor MCP server logs for calls to `exec_query` originating from unauthorized IP addresses.
## References
- **Akamai Research:** hxxps[://]www[.]akamai[.]com/blog/security-research/one-fluke-3-pattern-mcp-back-end-vulnerabilities
- **NVD (Doris):** hxxps[://]nvd[.]nist[.]gov/vuln/detail/CVE-2025-66335
- **Vendor Sites:** hxxps[://]doris[.]apache[.]org/ | hxxps[://]pinot[.]apache[.]org/ | hxxps[://]www[.]alibabacloud[.]com/en/rds