{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-2251", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2025-03-12T13:53:37.117Z", "datePublished": "2025-04-07T14:06:46.985Z", "dateUpdated": "2025-04-07T15:23:08.507Z"}, "containers": {"cna": {"title": "Org.jboss.eap:wildfly-ejb3: improper deserialization in jboss marshalling allows remote code execution", "metrics": [{"other": {"content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:H/A:H", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A security flaw exists in WildFly and JBoss Enterprise Application Platform (EAP) within the Enterprise JavaBeans (EJB) remote invocation mechanism. This vulnerability stems from untrusted data deserialization handled by JBoss Marshalling. This flaw allows an attacker to send a specially crafted serialized object, leading to remote code execution without requiring authentication."}], "affected": [{"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 7", "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "packageName": "wildfly-ejb3", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:7"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8", "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "packageName": "wildfly-ejb3", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform Expansion Pack", "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "packageName": "wildfly-ejb3", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:jbosseapxp"]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2025-2251", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2351678", "name": "RHBZ#2351678", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "datePublic": "2025-04-07T00:00:00.000Z", "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-502: Deserialization of Untrusted Data", "timeline": [{"lang": "en", "time": "2025-03-12T13:33:14.782000+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2025-04-07T00:00:00+00:00", "value": "Made public."}], "credits": [{"lang": "en", "value": "Red Hat would like to thank Pupi1 for reporting this issue."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2025-04-07T14:06:46.985Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-07T14:18:34.200921Z", "id": "CVE-2025-2251", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-07T15:23:08.507Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-2251", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-04-07T14:18:34.200921Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-07T14:18:38.922Z"}}], "cna": {"title": "Org.jboss.eap:wildfly-ejb3: improper deserialization in jboss marshalling allows remote code execution", "credits": [{"lang": "en", "value": "Red Hat would like to thank Pupi1 for reporting this issue."}], "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.2, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}}], "affected": [{"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:7"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 7", "packageName": "wildfly-ejb3", "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8", "packageName": "wildfly-ejb3", "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jbosseapxp"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform Expansion Pack", "packageName": "wildfly-ejb3", "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "defaultStatus": "affected"}], "timeline": [{"lang": "en", "time": "2025-03-12T13:33:14.782000+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2025-04-07T00:00:00+00:00", "value": "Made public."}], "datePublic": "2025-04-07T00:00:00.000Z", "references": [{"url": "https://access.redhat.com/security/cve/CVE-2025-2251", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2351678", "name": "RHBZ#2351678", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "descriptions": [{"lang": "en", "value": "A security flaw exists in WildFly and JBoss Enterprise Application Platform (EAP) within the Enterprise JavaBeans (EJB) remote invocation mechanism. This vulnerability stems from untrusted data deserialization handled by JBoss Marshalling. This flaw allows an attacker to send a specially crafted serialized object, leading to remote code execution without requiring authentication."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2025-04-07T14:06:46.985Z"}, "x_redhatCweChain": "CWE-502: Deserialization of Untrusted Data"}}, "cveMetadata": {"cveId": "CVE-2025-2251", "state": "PUBLISHED", "dateUpdated": "2025-04-07T15:23:08.507Z", "dateReserved": "2025-03-12T13:53:37.117Z", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "datePublished": "2025-04-07T14:06:46.985Z", "assignerShortName": "redhat"}, "dataVersion": "5.1"}

{}

{"acknowledgement": "Red Hat would like to thank Pupi1 for reporting this issue.", "bugzilla": {"description": "org.jboss.eap:wildfly-ejb3: Improper Deserialization in JBoss Marshalling Allows Remote Code Execution", "id": "2351678", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2351678"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.2", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:H/A:H", "status": "draft"}, "cwe": "CWE-502", "details": ["A security flaw exists in WildFly and JBoss Enterprise Application Platform (EAP) within the Enterprise JavaBeans (EJB) remote invocation mechanism. This vulnerability stems from untrusted data deserialization handled by JBoss Marshalling. This flaw allows an attacker to send a specially crafted serialized object, leading to remote code execution without requiring authentication.", "A security flaw exists in WildFly and JBoss Enterprise Application Platform (EAP) within the Enterprise JavaBeans (EJB) remote invocation mechanism. This vulnerability stems from untrusted data deserialization handled by JBoss Marshalling. This flaw allows an attacker to send a specially crafted serialized object, leading to remote code execution without requiring authentication."], "name": "CVE-2025-2251", "package_state": [{"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Affected", "package_name": "wildfly-ejb3", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Affected", "package_name": "wildfly-ejb3", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Affected", "package_name": "wildfly-ejb3", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}], "public_date": "2025-04-07T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-2251\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-2251"], "threat_severity": "Moderate"}