A security vulnerability, CVE-2025-27017, has been discovered in Apache NiFi, potentially exposing MongoDB authentication credentials in provenance event logs. This flaw affects Apache NiFi versions 1.13.0 through 2.2.0, allowing any authorized user with read access to provenance events to view MongoDB usernames and passwords, leading to possible unauthorized database access.

The issue arises due to improper handling of authentication credentials in NiFi’s provenance event logging functionality. Provenance events, which track data lineage, inadvertently store MongoDB credentials during data processing. This exposure could allow attackers to access, manipulate, or exfiltrate sensitive MongoDB data, posing a major security risk for organizations, especially those in regulated industries.

The affected versions are Apache NiFi 1.13.0 to 2.2.0 (org.apache.nifi:nifi-mongodb-services-nar package, versions >=1.13.0, <2.3.0). Apache NiFi 2.3.0 is unaffected and has resolved this issue by ensuring credentials are properly removed from provenance event records.

Organizations using affected versions of Apache NiFi in conjunction with MongoDB face security risks if unauthorized parties gain access to provenance records. The vulnerability is classified as medium severity (CVSS 3.0 score: 6.5) but can have significant consequences if exploited.

Apache has released a fix in NiFi version 2.3.0, and users are strongly advised to upgrade immediately. For those unable to upgrade right away, implementing strict access controls for provenance data, conducting security audits, and rotating MongoDB credentials after upgrading are recommended to mitigate risks.

This vulnerability highlights the importance of comprehensive security auditing across data processing systems, ensuring that authentication credentials are properly handled and protected throughout the application lifecycle.