CVE-2025-64408
BaseFortify
Publication date: 2025-11-19
Last updated on: 2025-11-25
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | causeway | From 2.0.0 (inc) to 3.5.0 (exc) |
| apache | causeway | 4.0.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Apache Causeway involves Java deserialization flaws that allow remote code execution (RCE) through user-controllable URL parameters. Authenticated attackers can exploit this issue in applications using Causeway's ViewModel functionality to execute arbitrary code with the application's privileges.
How can this vulnerability impact me? :
If exploited, this vulnerability can allow an authenticated attacker to execute arbitrary code on the affected application with the same privileges as the application itself. This can lead to unauthorized actions, data compromise, or further system compromise.
What immediate steps should I take to mitigate this vulnerability?
Users are recommended to upgrade to Apache Causeway version 3.5.0, which fixes the vulnerability.