{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-64408", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2025-11-03T17:08:27.439Z", "datePublished": "2025-11-19T10:32:05.808Z", "dateUpdated": "2025-11-20T04:55:22.650Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected", "packageName": "org.apache.causeway:*", "product": "Apache Causeway", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "3.4.0", "status": "affected", "version": "2.0.0", "versionType": "semver"}, {"status": "affected", "version": "4.0.0-M1", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "reporter", "value": "Slain Nico"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>\nApache Causeway faces Java deserialization vulnerabilities that allow remote code execution (RCE) through&nbsp;user-controllable URL parameters. These vulnerabilities affect all&nbsp;applications using Causeway's ViewModel functionality and can be exploited&nbsp;by authenticated attackers to execute arbitrary code with application&nbsp;privileges.&nbsp;</p><p>This issue affects all current versions.</p><p>Users are recommended to upgrade to version 3.5.0, which fixes the issue.</p>"}], "value": "Apache Causeway faces Java deserialization vulnerabilities that allow remote code execution (RCE) through\u00a0user-controllable URL parameters. These vulnerabilities affect all\u00a0applications using Causeway's ViewModel functionality and can be exploited\u00a0by authenticated attackers to execute arbitrary code with application\u00a0privileges.\u00a0\n\nThis issue affects all current versions.\n\nUsers are recommended to upgrade to version 3.5.0, which fixes the issue."}], "metrics": [{"other": {"content": {"text": "critical"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2025-11-19T10:32:05.808Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/rjlg4spqhmgy1xgq9wq5h2tfnq4pm70b"}], "source": {"defect": ["CAUSEWAY-3939"], "discovery": "EXTERNAL"}, "title": "Apache Causeway: Java deserialization vulnerability to authenticated attackers", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2025/11/19/1"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-19T12:08:21.438Z"}}, {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-11-19T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2025-64408"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-20T04:55:22.650Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2025/11/19/1"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-19T12:08:21.438Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-64408", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-19T16:19:32.893459Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-19T16:19:16.130Z"}}], "cna": {"title": "Apache Causeway: Java deserialization vulnerability to authenticated attackers", "source": {"defect": ["CAUSEWAY-3939"], "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "reporter", "value": "Slain Nico"}], "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "critical"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache Causeway", "versions": [{"status": "affected", "version": "2.0.0", "versionType": "semver", "lessThanOrEqual": "3.4.0"}, {"status": "affected", "version": "4.0.0-M1", "versionType": "semver"}], "packageName": "org.apache.causeway:*", "collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected"}], "references": [{"url": "https://lists.apache.org/thread/rjlg4spqhmgy1xgq9wq5h2tfnq4pm70b", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Apache Causeway faces Java deserialization vulnerabilities that allow remote code execution (RCE) through\u00a0user-controllable URL parameters. These vulnerabilities affect all\u00a0applications using Causeway's ViewModel functionality and can be exploited\u00a0by authenticated attackers to execute arbitrary code with application\u00a0privileges.\u00a0\n\nThis issue affects all current versions.\n\nUsers are recommended to upgrade to version 3.5.0, which fixes the issue.", "supportingMedia": [{"type": "text/html", "value": "<p>\nApache Causeway faces Java deserialization vulnerabilities that allow remote code execution (RCE) through&nbsp;user-controllable URL parameters. These vulnerabilities affect all&nbsp;applications using Causeway's ViewModel functionality and can be exploited&nbsp;by authenticated attackers to execute arbitrary code with application&nbsp;privileges.&nbsp;</p><p>This issue affects all current versions.</p><p>Users are recommended to upgrade to version 3.5.0, which fixes the issue.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2025-11-19T10:32:05.808Z"}}}, "cveMetadata": {"cveId": "CVE-2025-64408", "state": "PUBLISHED", "dateUpdated": "2025-11-19T16:19:36.494Z", "dateReserved": "2025-11-03T17:08:27.439Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2025-11-19T10:32:05.808Z", "assignerShortName": "apache"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Apache Causeway faces Java deserialization vulnerabilities that allow remote code execution (RCE) through\u00a0user-controllable URL parameters. These vulnerabilities affect all\u00a0applications using Causeway's ViewModel functionality and can be exploited\u00a0by authenticated attackers to execute arbitrary code with application\u00a0privileges.\u00a0\n\nThis issue affects all current versions.\n\nUsers are recommended to upgrade to version 3.5.0, which fixes the issue."}], "id": "CVE-2025-64408", "lastModified": "2025-11-19T19:14:59.327", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-11-19T11:15:47.790", "references": [{"source": "[email protected]", "url": "https://lists.apache.org/thread/rjlg4spqhmgy1xgq9wq5h2tfnq4pm70b"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2025/11/19/1"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "[email protected]", "type": "Secondary"}]}

{}