CVE-2025-60889
Insecure Deserialization in StellarGroup HPX 1.11.0 Enables RCE
Publication date: 2026-04-28
Last updated on: 2026-04-30
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| stellargroup | hpx | 1.11.0 |
| stellargroup | hpx | to 1.11.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-60889 is a critical vulnerability in StellarGroup HPX version 1.11.0 involving insecure deserialization that causes type confusion in shared pointers.
The vulnerability arises because HPX's deserialization process uses a shortcut to avoid re-deserializing objects by performing a shallow copy of pointers if they have been previously deserialized. However, this shortcut does not verify that the type of the pointer being deserialized matches the type of the previously stored pointer, leading to type confusion.
This flaw allows attackers to exploit the deserialization process to leak memory addresses, read arbitrary memory, hijack control flow by manipulating vtable pointers, and potentially execute arbitrary code.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including:
- Information disclosure by leaking memory addresses, which can bypass security mechanisms like ASLR.
- Arbitrary memory reads that may expose sensitive data.
- Control flow hijacking through manipulation of vtable pointers, enabling attackers to redirect program execution.
- Potential local privilege escalation and remote code execution if the vulnerable serialization is exposed over a network.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of CVE-2025-60889 involves identifying the use of HPX version 1.11.0 or earlier with the vulnerable serialization library handling shared pointers without proper type checking.
Since the vulnerability arises from insecure deserialization of shared pointers, monitoring for unusual or unexpected deserialization behavior, especially involving polymorphic types or shared pointers, can help detect exploitation attempts.
No specific network detection commands are provided in the available resources. However, you can check the HPX version installed on your system using commands like:
- hp --version (if HPX provides a CLI tool)
- Check your build or package manager for HPX version, e.g., dpkg -l | grep hpx (on Debian-based systems) or rpm -qa | grep hpx (on RPM-based systems).
To detect exploitation attempts, you might monitor logs or application behavior for crashes or unexpected memory access patterns related to deserialization.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Upgrade HPX to a version where this vulnerability is patched or apply the suggested remediation that introduces strict type checking during deserialization.
- If upgrading is not immediately possible, restrict or disable deserialization of untrusted input, especially over the network, to prevent remote exploitation.
- Implement application-level controls to validate or sanitize serialized data before deserialization.
- Monitor and audit deserialization processes for anomalies or unexpected behavior.
The root cause is missing type verification during pointer shortcutting in deserialization, so applying patches that add type hash checks or redefining type equality for polymorphic types is critical.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2025-60889 involves insecure deserialization that can lead to information disclosure, arbitrary memory reads, control flow hijacking, and arbitrary code execution. Such impacts could potentially expose sensitive data or allow unauthorized system access.
While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, the vulnerability's potential for data leakage and unauthorized code execution could lead to violations of data protection and security requirements mandated by these regulations.
Organizations using affected versions of HPX should consider this vulnerability a risk to confidentiality and integrity, which are core principles in many compliance frameworks, and take appropriate remediation steps to maintain compliance.