CVE-2025-64408

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-64408

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-64408.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-64408

Aliases

GHSA-wq4c-57mh-5f7g

Published

2025-11-19T11:15:47.790Z

Modified

2026-03-14T12:47:03.414075Z

Severity

6.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L CVSS Calculator

Summary

[none]

Details

Apache Causeway faces Java deserialization vulnerabilities that allow remote code execution (RCE) through user-controllable URL parameters. These vulnerabilities affect all applications using Causeway's ViewModel functionality and can be exploited by authenticated attackers to execute arbitrary code with application privileges.

This issue affects all current versions.

Users are recommended to upgrade to version 3.5.0, which fixes the issue.

References

Affected packages

Git / github.com/apache/causeway

Affected ranges

Type

GIT

Repo

https://github.com/apache/causeway

Events

Introduced

75d21bcb30d85bc37d9115fc14cc35ce4271b986

Fixed

66e985d5c85b84e8147d4339c17950a48ee09c2c

Introduced

Last affected

a65669305380641490c6137d7b3d6b4a2fbf6c4d

Database specific

{
    "versions": [
        {
            "introduced": "2.0.0"
        },
        {
            "fixed": "3.5.0"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "4.0.0-m1"
        }
    ]
}

Affected versions

causeway-2.*

causeway-2.0.0-RC3

isis-2.*

isis-2.0.0-M7

rel/causeway-2.*

rel/causeway-2.0.0

rel/causeway-2.0.0-RC1

rel/causeway-2.0.0-RC2

rel/causeway-2.0.0-RC3

rel/causeway-2.0.0-RC4

rel/causeway-2.1.0

rel/causeway-3.*

rel/causeway-3.0.0

rel/causeway-3.1.0

rel/causeway-3.2.0

rel/causeway-3.3.0

rel/causeway-3.4.0

rel/causeway-4.*

rel/causeway-4.0.0-M1

rel/helloworld-archetype-1.*

rel/helloworld-archetype-1.15.0

rel/helloworld-archetype-1.15.1

rel/helloworld-archetype-1.16.0

rel/helloworld-archetype-1.16.1

rel/helloworld-archetype-1.16.2

rel/helloworld-archetype-1.17.0

rel/helloworld-archetype-2.*

rel/helloworld-archetype-2.0.0-M1

rel/helloworld-archetype-2.0.0-M2

rel/isis-1.*

rel/isis-1.10.0

rel/isis-1.11.0

rel/isis-1.11.1

rel/isis-1.12.0

rel/isis-1.12.1

rel/isis-1.12.2

rel/isis-1.13.0

rel/isis-1.13.1

rel/isis-1.13.2

rel/isis-1.14.0

rel/isis-1.15.0

rel/isis-1.15.1

rel/isis-1.16.0

rel/isis-1.16.1

rel/isis-1.16.2

rel/isis-1.17.0

rel/isis-1.3.0

rel/isis-1.4.0

rel/isis-1.5.0

rel/isis-1.6.0

rel/isis-1.7.0

rel/isis-1.8.0

rel/isis-1.9.0

rel/isis-2.*

rel/isis-2.0.0-M1

rel/isis-2.0.0-M2

rel/isis-2.0.0-M3

rel/isis-2.0.0-M4

rel/isis-2.0.0-M5

rel/isis-2.0.0-M6

rel/isis-2.0.0-M7

rel/isis-2.0.0-M9

rel/isis-objectstore-jdo-1.*

rel/isis-objectstore-jdo-1.3.0

rel/isis-objectstore-jdo-1.4.0

rel/isis-objectstore-jdo-1.4.1

rel/isis-objectstore-jdo-1.5.0

rel/isis-security-file-1.*

rel/isis-security-file-1.0.1

rel/isis-security-file-1.4.0

rel/isis-security-shiro-1.*

rel/isis-security-shiro-1.1.1

rel/isis-security-shiro-1.3.0

rel/isis-security-shiro-1.4.0

rel/isis-security-shiro-1.5.0

rel/isis-viewer-restfulobjects-2.*

rel/isis-viewer-restfulobjects-2.0.0

rel/isis-viewer-restfulobjects-2.1.0

rel/isis-viewer-restfulobjects-2.2.0

rel/isis-viewer-restfulobjects-2.3.0

rel/isis-viewer-wicket-1.*

rel/isis-viewer-wicket-1.3.0

rel/isis-viewer-wicket-1.4.0

rel/isis-viewer-wicket-1.4.1

rel/isis-viewer-wicket-1.5.0

rel/isis-viewer-wicket-1.6.0

rel/isis-viewer-wicket-1.7.0

rel/quickstart_wicket_restful_jdo-archetype-1.*

rel/quickstart_wicket_restful_jdo-archetype-1.0.3

rel/quickstart_wicket_restful_jdo-archetype-1.3.0

rel/quickstart_wicket_restful_jdo-archetype-1.4.0

rel/quickstart_wicket_restful_jdo-archetype-1.4.1

rel/quickstart_wicket_restful_jdo-archetype-1.5.0

rel/simple_wicket_restful_jdo-archetype-1.*

rel/simple_wicket_restful_jdo-archetype-1.3.0

rel/simple_wicket_restful_jdo-archetype-1.4.0

rel/simple_wicket_restful_jdo-archetype-1.4.1

rel/simple_wicket_restful_jdo-archetype-1.5.0

rel/simpleapp-archetype-1.*

rel/simpleapp-archetype-1.10.0

rel/simpleapp-archetype-1.11.0

rel/simpleapp-archetype-1.11.1

rel/simpleapp-archetype-1.12.0

rel/simpleapp-archetype-1.12.1

rel/simpleapp-archetype-1.12.2

rel/simpleapp-archetype-1.13.0

rel/simpleapp-archetype-1.13.1

rel/simpleapp-archetype-1.13.2

rel/simpleapp-archetype-1.13.2.1

rel/simpleapp-archetype-1.14.0

rel/simpleapp-archetype-1.15.0

rel/simpleapp-archetype-1.15.1

rel/simpleapp-archetype-1.16.0

rel/simpleapp-archetype-1.16.1

rel/simpleapp-archetype-1.16.2

rel/simpleapp-archetype-1.17.0

rel/simpleapp-archetype-1.6.0

rel/simpleapp-archetype-1.7.0

rel/simpleapp-archetype-1.8.0

rel/simpleapp-archetype-1.9.0

rel/simpleapp-archetype-2.*

rel/simpleapp-archetype-2.0.0-M1

rel/simpleapp-archetype-2.0.0-M2

rel/todoapp-archetype-1.*

rel/todoapp-archetype-1.6.0

rel/todoapp-archetype-1.7.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-64408.json"