Hitachi Vantara Pentaho Business Analytics Server – Deserialization of Untrusted...

8.8 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

Pentaho Data Integration and Analytics Community Dashboard Editor plugin versions before 10.2.0.4, including 9.3.0.x and 8.3.x, deserialize untrusted JSON data without constraining the parser to approved classes and methods.

AI Analysis

Deserialization of untrusted data vulnerability in Pentaho Data Integration and Analytics Community Dashboard Editor plugin

Basic Information

ID CVE-2025-9121

Source HITVAN

Published Dec 15, 2025 at 22:53

Affected Product

Vendor Hitachi Vantara

Product Pentaho Data Integration and Analytics

Version 1.0

Affected Versions Hitachi Vantara Pentaho Data Integration and Analytics 1.0

CWE Classification

CWE-502

AI Assessment

AI Score 8.8 / 10

AI Severity High

Vendor Hitachi Vantara

Product Pentaho Data Integration and Analytics

Version 9.3.0.x, 8.3.x, before 10.2.0.4

References

support.pentaho.com /hc/en-us/articles/41832536185613--Resolved-Hitachi-Vantara-Pentaho-Business-Analytics-Server-Deserialization-of-Untrusted-Data-Versions-before-10-2-0-4-Impacted-CVE-2025-9121

{
    "lastseen": "",
    "description": "Pentaho Data Integration and Analytics Community Dashboard Editor plugin versions before 10.2.0.4, including 9.3.0.x and 8.3.x, deserialize untrusted JSON data without constraining the parser to approved classes and methods.",
    "published": "2025-12-15T22:53:57.465Z",
    "modified": "2025-12-15T22:53:57.465Z",
    "type": "cve",
    "title": "Hitachi Vantara Pentaho Business Analytics Server - Deserialization of Untrusted Data",
    "source": "HITVAN",
    "references": "https://support.pentaho.com/hc/en-us/articles/41832536185613--Resolved-Hitachi-Vantara-Pentaho-Business-Analytics-Server-Deserialization-of-Untrusted-Data-Versions-before-10-2-0-4-Impacted-CVE-2025-9121",
    "id": "CVE-2025-9121",
    "bulletinFamily": "",
    "cwe": [
        "CWE-502"
    ],
    "cvelist": null,
    "sourceData": "Hitachi Vantara Pentaho Data Integration and Analytics 1.0",
    "sourceHref": "",
    "cvss": {
        "score": 8.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Pentaho Data Integration and Analytics",
    "version": "1.0",
    "vendor": "Hitachi Vantara",
    "ai_description": "Deserialization of untrusted data vulnerability in Pentaho Data Integration and Analytics Community Dashboard Editor plugin",
    "ai_severity": "High",
    "ai_vendor": "Hitachi Vantara",
    "ai_product": "Pentaho Data Integration and Analytics",
    "ai_version": "9.3.0.x, 8.3.x, before 10.2.0.4",
    "ai_score": 8.8
}

Hitachi Vantara Pentaho Business Analytics Server – Deserialization of Untrusted Data_CVE-2025-9121