CVE-2025-2251

Advisory lineage Upstream: 0 Downstream: 5

Downstream

RHSA-2025:10452 RHSA-2025:10453 RHSA-2025:10924 RHSA-2025:10925 RHSA-2025:10926

Deferred

Published: 07 Apr 2025, 14:06

Last modified:11 Nov 2025, 17:10

Vulnerability Summary

Overall Risk (default)

medium

25/100

CVSS Score

6.2 MEDIUM

v3.1 (cve.org)

EPSS Score

1.94% LOW

2% probability -0.69%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

07 Apr 2025, 14:06

Published

Vulnerability first disclosed

11 Nov 2025, 17:10

Last Modified

Vulnerability information updated

Description

A security flaw exists in WildFly and JBoss Enterprise Application Platform (EAP) within the Enterprise JavaBeans (EJB) remote invocation mechanism. This vulnerability stems from untrusted data deserialization handled by JBoss Marshalling. This flaw allows an attacker to send a specially crafted serialized object, leading to remote code execution without requiring authentication.

CVSS Metrics

v3.1•MEDIUM•Score: 6.2CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:H/A:H

EPSS Trends

Current EPSS score: 1.94%• Percentile: 84%

Techniques & Countermeasures

CWE-502•Deserialization of Untrusted Data
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.