Search criteria
3 vulnerabilities found for causeway by apache
FKIE_CVE-2025-64408
Vulnerability from fkie_nvd - Published: 2025-11-19 11:15 - Updated: 2025-11-25 14:35
Severity ?
Summary
Apache Causeway faces Java deserialization vulnerabilities that allow remote code execution (RCE) through user-controllable URL parameters. These vulnerabilities affect all applications using Causeway's ViewModel functionality and can be exploited by authenticated attackers to execute arbitrary code with application privileges.
This issue affects all current versions.
Users are recommended to upgrade to version 3.5.0, which fixes the issue.
References
| URL | Tags | ||
|---|---|---|---|
| security@apache.org | https://lists.apache.org/thread/rjlg4spqhmgy1xgq9wq5h2tfnq4pm70b | Mailing List, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2025/11/19/1 | Mailing List, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:causeway:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B044B2DD-ECE0-4C1C-8EFA-74C875B864D4",
"versionEndExcluding": "3.5.0",
"versionStartIncluding": "2.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:causeway:4.0.0:m1:*:*:*:*:*:*",
"matchCriteriaId": "0DEE4E19-11F1-4BED-8766-8DD6EB5B68F8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Apache Causeway faces Java deserialization vulnerabilities that allow remote code execution (RCE) through\u00a0user-controllable URL parameters. These vulnerabilities affect all\u00a0applications using Causeway\u0027s ViewModel functionality and can be exploited\u00a0by authenticated attackers to execute arbitrary code with application\u00a0privileges.\u00a0\n\nThis issue affects all current versions.\n\nUsers are recommended to upgrade to version 3.5.0, which fixes the issue."
}
],
"id": "CVE-2025-64408",
"lastModified": "2025-11-25T14:35:05.667",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.4,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2025-11-19T11:15:47.790",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/rjlg4spqhmgy1xgq9wq5h2tfnq4pm70b"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2025/11/19/1"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-502"
}
],
"source": "security@apache.org",
"type": "Secondary"
}
]
}
CVE-2025-64408 (GCVE-0-2025-64408)
Vulnerability from cvelistv5 – Published: 2025-11-19 10:32 – Updated: 2025-11-20 04:55
VLAI?
Title
Apache Causeway: Java deserialization vulnerability to authenticated attackers
Summary
Apache Causeway faces Java deserialization vulnerabilities that allow remote code execution (RCE) through user-controllable URL parameters. These vulnerabilities affect all applications using Causeway's ViewModel functionality and can be exploited by authenticated attackers to execute arbitrary code with application privileges.
This issue affects all current versions.
Users are recommended to upgrade to version 3.5.0, which fixes the issue.
Severity ?
No CVSS data available.
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Causeway |
Affected:
2.0.0 , ≤ 3.4.0
(semver)
Affected: 4.0.0-M1 (semver) |
Credits
Slain Nico
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-19T12:08:21.438Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/11/19/1"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-64408",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-19T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-20T04:55:22.650Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.causeway:*",
"product": "Apache Causeway",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "3.4.0",
"status": "affected",
"version": "2.0.0",
"versionType": "semver"
},
{
"status": "affected",
"version": "4.0.0-M1",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Slain Nico"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\nApache Causeway faces Java deserialization vulnerabilities that allow remote code execution (RCE) through\u0026nbsp;user-controllable URL parameters. These vulnerabilities affect all\u0026nbsp;applications using Causeway\u0027s ViewModel functionality and can be exploited\u0026nbsp;by authenticated attackers to execute arbitrary code with application\u0026nbsp;privileges.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThis issue affects all current versions.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 3.5.0, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Apache Causeway faces Java deserialization vulnerabilities that allow remote code execution (RCE) through\u00a0user-controllable URL parameters. These vulnerabilities affect all\u00a0applications using Causeway\u0027s ViewModel functionality and can be exploited\u00a0by authenticated attackers to execute arbitrary code with application\u00a0privileges.\u00a0\n\nThis issue affects all current versions.\n\nUsers are recommended to upgrade to version 3.5.0, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "critical"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-19T10:32:05.808Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/rjlg4spqhmgy1xgq9wq5h2tfnq4pm70b"
}
],
"source": {
"defect": [
"CAUSEWAY-3939"
],
"discovery": "EXTERNAL"
},
"title": "Apache Causeway: Java deserialization vulnerability to authenticated attackers",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-64408",
"datePublished": "2025-11-19T10:32:05.808Z",
"dateReserved": "2025-11-03T17:08:27.439Z",
"dateUpdated": "2025-11-20T04:55:22.650Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-64408 (GCVE-0-2025-64408)
Vulnerability from nvd – Published: 2025-11-19 10:32 – Updated: 2025-11-20 04:55
VLAI?
Title
Apache Causeway: Java deserialization vulnerability to authenticated attackers
Summary
Apache Causeway faces Java deserialization vulnerabilities that allow remote code execution (RCE) through user-controllable URL parameters. These vulnerabilities affect all applications using Causeway's ViewModel functionality and can be exploited by authenticated attackers to execute arbitrary code with application privileges.
This issue affects all current versions.
Users are recommended to upgrade to version 3.5.0, which fixes the issue.
Severity ?
No CVSS data available.
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Causeway |
Affected:
2.0.0 , ≤ 3.4.0
(semver)
Affected: 4.0.0-M1 (semver) |
Credits
Slain Nico
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-19T12:08:21.438Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/11/19/1"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-64408",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-19T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-20T04:55:22.650Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.causeway:*",
"product": "Apache Causeway",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "3.4.0",
"status": "affected",
"version": "2.0.0",
"versionType": "semver"
},
{
"status": "affected",
"version": "4.0.0-M1",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Slain Nico"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\nApache Causeway faces Java deserialization vulnerabilities that allow remote code execution (RCE) through\u0026nbsp;user-controllable URL parameters. These vulnerabilities affect all\u0026nbsp;applications using Causeway\u0027s ViewModel functionality and can be exploited\u0026nbsp;by authenticated attackers to execute arbitrary code with application\u0026nbsp;privileges.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThis issue affects all current versions.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 3.5.0, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Apache Causeway faces Java deserialization vulnerabilities that allow remote code execution (RCE) through\u00a0user-controllable URL parameters. These vulnerabilities affect all\u00a0applications using Causeway\u0027s ViewModel functionality and can be exploited\u00a0by authenticated attackers to execute arbitrary code with application\u00a0privileges.\u00a0\n\nThis issue affects all current versions.\n\nUsers are recommended to upgrade to version 3.5.0, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "critical"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-19T10:32:05.808Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/rjlg4spqhmgy1xgq9wq5h2tfnq4pm70b"
}
],
"source": {
"defect": [
"CAUSEWAY-3939"
],
"discovery": "EXTERNAL"
},
"title": "Apache Causeway: Java deserialization vulnerability to authenticated attackers",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-64408",
"datePublished": "2025-11-19T10:32:05.808Z",
"dateReserved": "2025-11-03T17:08:27.439Z",
"dateUpdated": "2025-11-20T04:55:22.650Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}