CVE-2025-64408
Description
Apache Causeway faces Java deserialization vulnerabilities that allow remote code execution (RCE) throughuser-controllable URL parameters. These vulnerabilities affect allapplications using Causeways ViewModel functionality and can be exploitedby authenticated attackers to execute arbitrary code with applicationprivileges.This issue affects all current versions.Users are recommended to upgrade to version 3.5.0, which fixes the issue.
Risk Information
Base Score
6.3
MODERATE
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
EPSS Score
Exploitation Probability
0.826
Associated Vulnerability
| Vulnerability | OS Platform |
|---|---|
| Vulnerabilities CVE-2025-64408 are fixed in Apache - causeway-commons 3.5.0 | Windows |
| Vulnerabilities CVE-2025-64408 are fixed in Apache - causeway-applib 3.5.0 | Windows |
| Vulnerabilities CVE-2025-64408 are fixed in Apache - causeway-core 3.5.0 | Windows |
| Vulnerabilities CVE-2025-64408 are fixed in Apache - causeway-viewer-wicket 3.5.0 | Windows |
| Vulnerabilities CVE-2025-64408 are fixed in Apache - causeway-commons for Linux 3.5.0 | Linux |
| Vulnerabilities CVE-2025-64408 are fixed in Apache - causeway-applib for Linux 3.5.0 | Linux |
| Vulnerabilities CVE-2025-64408 are fixed in Apache - causeway-core for Linux 3.5.0 | Linux |
| Vulnerabilities CVE-2025-64408 are fixed in Apache - causeway-viewer-wicket for Linux 3.5.0 | Linux |
Patch Details
No records foundReferences
https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234