CVE-2025-24016

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-24016
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-24016.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-24016
Aliases
Downstream
Related
Published
2025-02-10T20:15:42Z
Modified
2025-06-12T11:02:34.645211Z
Summary
[none]
Details

Wazuh is a free and open source platform used for threat prevention, detection, and response. Starting in version 4.4.0 and prior to version 4.9.1, an unsafe deserialization vulnerability allows for remote code execution on Wazuh servers. DistributedAPI parameters are a serialized as JSON and deserialized using as_wazuh_object (in framework/wazuh/core/cluster/common.py). If an attacker manages to inject an unsanitized dictionary in DAPI request/response, they can forge an unhandled exception (__unhandled_exc__) to evaluate arbitrary python code. The vulnerability can be triggered by anybody with API access (compromised dashboard or Wazuh servers in the cluster) or, in certain configurations, even by a compromised agent. Version 4.9.1 contains a fix.

References

Affected packages

Git / github.com/wazuh/wazuh

Affected ranges

Type
GIT
Repo
https://github.com/wazuh/wazuh
Events
Introduced
2477e9fa50bc1424e834ac8401ce2450a5978e75
Fixed
030da3527b7031348ae3f686aae663621d981c26

Affected versions

v4.*

v4.4.0
v4.4.1
v4.4.2
v4.4.3
v4.4.4
v4.4.5
v4.5.0
v4.5.1
v4.5.2
v4.5.3
v4.5.4
v4.6.0
v4.7.0
v4.7.1
v4.7.2
v4.7.3
v4.7.4
v4.7.5
v4.8.1
v4.8.2
v4.9.0