Apache Causeway: Java deserialization vulnerability to authenticated attackers_CVE-2025-64408

6.3 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Description

Apache Causeway faces Java deserialization vulnerabilities that allow remote code execution (RCE) through user-controllable URL parameters. These vulnerabilities affect all applications using Causeway's ViewModel functionality and can be exploited by authenticated attackers to execute arbitrary code with application privileges.

This issue affects all current versions.

Users are recommended to upgrade to version 3.5.0, which fixes the issue.

Basic Information

ID CVE-2025-64408

Source apache

Published Nov 19, 2025 at 10:32

Modified Nov 19, 2025 at 16:19

Affected Product

Vendor Apache Software Foundation

Product Apache Causeway

Version 2.0.0

Affected Versions Apache Software Foundation Apache Causeway 2.0.0
Apache Software Foundation Apache Causeway 4.0.0-M1

CWE Classification

CWE-502

References

lists.apache.org /thread/rjlg4spqhmgy1xgq9wq5h2tfnq4pm70b

{
    "lastseen": "",
    "description": "Apache Causeway faces Java deserialization vulnerabilities that allow remote code execution (RCE) through\u00a0user-controllable URL parameters. These vulnerabilities affect all\u00a0applications using Causeway's ViewModel functionality and can be exploited\u00a0by authenticated attackers to execute arbitrary code with application\u00a0privileges.\u00a0\n\nThis issue affects all current versions.\n\nUsers are recommended to upgrade to version 3.5.0, which fixes the issue.",
    "published": "2025-11-19T10:32:05.808Z",
    "modified": "2025-11-19T16:19:36.494Z",
    "type": "cve",
    "title": "Apache Causeway: Java deserialization vulnerability to authenticated attackers",
    "source": "apache",
    "references": "https://lists.apache.org/thread/rjlg4spqhmgy1xgq9wq5h2tfnq4pm70b",
    "id": "CVE-2025-64408",
    "bulletinFamily": "",
    "cwe": [
        "CWE-502"
    ],
    "cvelist": null,
    "sourceData": "Apache Software Foundation Apache Causeway 2.0.0\nApache Software Foundation Apache Causeway 4.0.0-M1",
    "sourceHref": "",
    "cvss": {
        "score": 6.3,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Apache Causeway",
    "version": "2.0.0",
    "vendor": "Apache Software Foundation",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}