CVE-2024-47552

Published Mar 20, 2025

Last updated a year ago

CVSS critical 9.8

Overview

Description
Deserialization of Untrusted Data vulnerability in Apache Seata (incubating). This issue affects Apache Seata (incubating): from 2.0.0 before 2.2.0. Users are recommended to upgrade to version 2.2.0, which fixes the issue.
Source
security@apache.org
NVD status
Analyzed
Products
seata

Risk scores

CVSS 3.1

Type
Secondary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

security@apache.org
CWE-502

Social media

Hype score
Not currently trending

  1. CVE-2025-32897 Deserialization of Untrusted Data vulnerability in Apache Seata (incubating). This security vulnerability is the same as CVE-2024-47552, but the version range descri… https://t.co/gvuO4WAu18

    @CVEnew

    28 Jun 2025

    564 Impressions

    0 Retweets

    1 Like

    1 Bookmark

    0 Replies

    0 Quotes

  2. CVE-2025-32897: Apache Seata (incubating): Deserialization of untrusted Data in Apache Seata Server https://t.co/D4NLy3CFG5 the same as CVE-2024-47552, but the version range described in the CVE-2024-47552 definition is too narrow

    @oss_security

    28 Jun 2025

    398 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  3. CVE-2024-47552 Deserialization of Untrusted Data vulnerability in Apache Seata (incubating). This issue affects Apache Seata (incubating): from 2.0.0 before 2.2.0. Users are recom… https://t.co/kdkUpgY2J4

    @CVEnew

    20 Mar 2025

    263 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  4. CVE-2024-47552: Apache Seata (incubating): Deserialization of untrusted Data in jraft mode in Apache Seata Server https://t.co/wdh6OOQN01 CVE-2024-54016: Apache Seata (incubating): Compression bomb attack https://t.co/jRCfC7BCKc

    @oss_security

    20 Mar 2025

    160 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. New post from https://t.co/uXvPWJyEiR (CVE-2024-47552 | Apache Seata up to 2.1.x deserialization) has been published on https://t.co/VGvMrsD70l

    @WolfgangSesin

    19 Mar 2025

    16 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. Deserialization of Untrusted Data vulnerability in Apache Seata (incubating). This issue affects Apache Seata (incubating): 2.4.0. Users are recommended to upgrade to version 2.5.0, which fixes the issue.CVE-2025-53606
  2. Deserialization of Untrusted Data vulnerability in Apache Seata (incubating). This security vulnerability is the same as CVE-2024-47552, but the version range described in the CVE-2024-47552 definition is too narrow. This issue affects Apache Seata (incubating): from 2.0.0 before 2.3.0. Users are recommended to upgrade to version 2.3.0, which fixes the issue.CVE-2025-32897
  3. Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in Apache Seata (incubating). This issue affects Apache Seata (incubating): through <=2.2.0. Users are recommended to upgrade to version 2.3.0, which fixes the issue.CVE-2024-54016
  4. Deserialization of Untrusted Data vulnerability in Apache Seata.  When developers disable authentication on the Seata-Server and do not use the Seata client SDK dependencies, they may construct uncontrolled serialized malicious requests by directly sending bytecode based on the Seata private protocol. This issue affects Apache Seata: 2.0.0, from 1.0.0 through 1.8.0. Users are recommended to upgrade to version 2.1.0/1.8.1, which fixes the issue.CVE-2024-22399

References

Sources include official advisories and independent security research.