CVE-2025-15222
Unknown Unknown - Not Provided
Remote Deserialization Vulnerability in Dromara Sa-Token up to

Publication date: 2025-12-30

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability has been found in Dromara Sa-Token up to 1.44.0. This issue affects the function ObjectInputStream.readObject of the file SaSerializerTemplateForJdkUseBase64.java. Such manipulation leads to deserialization. The attack can be executed remotely. This attack is characterized by high complexity. The exploitability is assessed as difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-30
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2025-12-30
EPSS Evaluated
2026-06-14
NVD
CVE-2025-15222
EUVD
EUVD-2025-205687
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
dromara sa-token 1.44.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Dromara Sa-Token up to version 1.44.0, specifically in the ObjectInputStream.readObject function within the SaSerializerTemplateForJdkUseBase64.java file. It allows an attacker to manipulate the deserialization process remotely, potentially leading to unintended code execution or other malicious effects. The attack is complex and difficult to exploit, but the exploit has been publicly disclosed.

Impact Analysis

The vulnerability can impact you by allowing a remote attacker to exploit the deserialization process, which may lead to unauthorized actions such as code execution or data manipulation. Although the exploit is difficult to perform, if successful, it could compromise the integrity, confidentiality, and availability of your system using Dromara Sa-Token.

Detection Guidance

This vulnerability can be detected by monitoring for suspicious or unexpected Base64-encoded serialized objects in tokens, such as HTTP cookies, headers, or request bodies, especially if the Sa-Token framework is configured to use the JDK/Base64 serialization template. Detection involves inspecting token values for Base64 strings that decode to serialized Java objects. Network monitoring tools or custom scripts can be used to extract and decode these tokens. For example, you can capture HTTP requests and extract the 'satoken' cookie or header, then decode the Base64 content and analyze the serialized object. Commands to detect suspicious tokens might include using curl or tcpdump to capture traffic, followed by base64 decoding and Java deserialization analysis. Example commands: 1) Capture HTTP traffic containing Sa-Token tokens: `tcpdump -i eth0 -A port 80 or port 443 | grep 'satoken'` 2) Extract and decode Base64 token value: `echo '<Base64TokenValue>' | base64 -d > token.ser` 3) Analyze the serialized object with Java deserialization tools or custom scripts to detect gadget chains. Note that detection requires knowledge of the token format and access to network traffic or logs where tokens are stored or transmitted. [1, 3]

Mitigation Strategies

Immediate mitigation steps include: 1) Disable the use of the JDK/Base64 serialization template in Sa-Token and switch to the default JSON serialization template, which is not affected by this vulnerability. 2) Prevent reading tokens from attacker-controlled sources such as cookies by disabling `SaTokenConfig#setIsReadCookie(true)` or equivalent configuration. 3) Restrict or sanitize inputs that can influence token values or session keys to prevent injection of malicious serialized objects. 4) If possible, replace or upgrade the Sa-Token framework to a version that does not use unsafe deserialization or apply patches when available. 5) Monitor and block suspicious tokens or requests that contain unexpected Base64-encoded serialized objects. Since no vendor patch or official fix is currently available, consider isolating or limiting the affected service until a secure version or workaround is implemented. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-15222. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart