8.8

CVE-2025-66214

Exploit

EPSS 0.3%
Veröffentlicht 09.12.2025 19:37:18
Zuletzt bearbeitet 17.12.2025 14:32:23
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Ladybug adds message-based debugging, unit, system, and regression testing to Java applications. Versions prior to 3.0-20251107.114628 contain the APIs /iaf/ladybug/api/report/{storage} and /iaf/ladybug/api/report/upload, which allow uploading gzip-compressed XML files with user-controllable content. The system deserializes these XML files, enabling attackers to achieve Remote Code Execution (RCE) by submitting carefully crafted XML payloads and thereby gain access to the target server. This issue is fixed in version 3.0-20251107.114628.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Wearefrank ≫ Ladybug Version < 3.0-20251107.114628

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.3%	0.528

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com	7	1.1	5.3	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L

CWE-502 Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

https://github.com/wearefrank/ladybug/security/advisories/GHSA-f9fh-r3cv-398f

Vendor Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2025-66214

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-66214

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-66214

EUVD