THE Apache Software Foundation has released a security update for Apache Hadoop after identifying CVE-2025-27821, an out-of-bounds write flaw in the HDFS native client. The issue affects the URI parser within the native client, which interprets addresses and locates data across distributed file systems.
Classified as an “Out-of-bounds Write,” the vulnerability involves memory safety in how URIs are parsed and is expected to present stability concerns and potential denial of service, with memory safety vulnerabilities sometimes precursors to more complex issues. Administrators should check their deployments for the HDFS native client (org.apache[.]hadoop:hadoop-hdfs-native-client) versions from 3.2.0 up to, but not including, 3.4.2.
The Apache team has released version 3.4.2 to close this gap, and users running affected versions are advised to upgrade to 3.4.2 to help keep their data lakes secure against this specific memory flaw.