6.3

CVE-2025-64408

EPSS 0.48%
Veröffentlicht 19.11.2025 10:32:05
Zuletzt bearbeitet 25.11.2025 14:35:05
Quelle security@apache.org
CVE-Watchlists
Login
Unerledigt
Login

Apache Causeway faces Java deserialization vulnerabilities that allow remote code execution (RCE) through user-controllable URL parameters. These vulnerabilities affect all applications using Causeway's ViewModel functionality and can be exploited by authenticated attackers to execute arbitrary code with application privileges. 

This issue affects all current versions.

Users are recommended to upgrade to version 3.5.0, which fixes the issue.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Apache ≫ Causeway Version >= 2.0.0 < 3.5.0

Apache ≫ Causeway Version4.0.0 Updatem1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.48%	0.642

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0	6.3	2.8	3.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE-502 Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

https://lists.apache.org/thread/rjlg4spqhmgy1xgq9wq5h2tfnq4pm70b

Vendor Advisory

Mailing List

http://www.openwall.com/lists/oss-security/2025/11/19/1

Third Party Advisory

Mailing List

https://nvd.nist.gov/vuln/detail/CVE-2025-64408

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-64408

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-64408

EUVD