CVE-2025-64408

{"id": "CVE-2025-64408", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 3.4, "exploitabilityScore": 2.8}]}, "published": "2025-11-19T11:15:47.790", "references": [{"url": "https://lists.apache.org/thread/rjlg4spqhmgy1xgq9wq5h2tfnq4pm70b", "tags": ["Mailing List", "Vendor Advisory"], "source": "security@apache.org"}, {"url": "http://www.openwall.com/lists/oss-security/2025/11/19/1", "tags": ["Mailing List", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security@apache.org", "description": [{"lang": "en", "value": "CWE-502"}]}], "descriptions": [{"lang": "en", "value": "Apache Causeway faces Java deserialization vulnerabilities that allow remote code execution (RCE) through\u00a0user-controllable URL parameters. These vulnerabilities affect all\u00a0applications using Causeway's ViewModel functionality and can be exploited\u00a0by authenticated attackers to execute arbitrary code with application\u00a0privileges.\u00a0\n\nThis issue affects all current versions.\n\nUsers are recommended to upgrade to version 3.5.0, which fixes the issue."}], "lastModified": "2025-11-25T14:35:05.667", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:causeway:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B044B2DD-ECE0-4C1C-8EFA-74C875B864D4", "versionEndExcluding": "3.5.0", "versionStartIncluding": "2.0.0"}, {"criteria": "cpe:2.3:a:apache:causeway:4.0.0:m1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0DEE4E19-11F1-4BED-8766-8DD6EB5B68F8"}], "operator": "OR"}]}], "sourceIdentifier": "security@apache.org"}