JFrog’s Security Research team uncovered a critical remote code execution (RCE) vulnerability in Apache Cassandra, designated as CVE-2021-44521 with a CVSS score of 8.4, which primarily affects non-default configurations. Apache Cassandra, a widely-used distributed NoSQL database, is vulnerable when specific configurations enable user-defined functions (UDFs) without adequate security measures, allowing malicious actors to exploit the Nashorn JavaScript engine to execute arbitrary code. Cassandra's default settings employ a security manager and class filtering to prevent such exploits, but modifying these configurations can lead to security breaches, including denial-of-service attacks and unsafe object deserialization via the cassandra-stressd tool. Mitigations include upgrading to patched versions of Cassandra, disabling UDFs if unused, or ensuring secure configurations by restricting UDF-related permissions. JFrog emphasizes the importance of prompt upgrading and security monitoring through tools like JFrog Xray to address these vulnerabilities.