AI description
CVE-2025-32897 is a deserialization of untrusted data vulnerability affecting Apache Seata. Specifically, it impacts versions 2.0.0 prior to 2.3.0. Users are recommended to upgrade to version 2.3.0 to address the issue. This vulnerability is similar to CVE-2024-47552 but applies to a broader range of Apache Seata versions. The vulnerability exists because the software deserializes untrusted data without sufficiently verifying its validity.
- Description
- Deserialization of Untrusted Data vulnerability in Apache Seata (incubating). This security vulnerability is the same as CVE-2024-47552, but the version range described in the CVE-2024-47552 definition is too narrow. This issue affects Apache Seata (incubating): from 2.0.0 before 2.3.0. Severity Justification: The Apache Seata security team assesses the severity of this vulnerability as "Low" due to stringent real-world mitigating factors. First, the vulnerability is strictly isolated to the Raft cluster mode, an optional and non-default feature introduced in v2.0.0, while most users rely on the unaffected traditional architecture. Second, Seata is an internal middleware; communication between TC and RM/TM occurs entirely within trusted internal networks. An attacker would require prior, unauthorized access to the Intranet to exploit this, making external exploitation highly improbable. Users are recommended to upgrade to version 2.3.0, which fixes the issue.
- Source
- security@apache.org
- NVD status
- Modified
- Products
- seata
CVSS 3.1
- Type
- Secondary
- Base score
- 9.8
- Impact score
- 5.9
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Severity
- CRITICAL
- security@apache.org
- CWE-502
- Hype score
- Not currently trending
`Apache Seata` is vulnerable to deserialization of untrusted data (CVE-2025-32897), potentially leading to RCE. Users should monitor for official updates. #ApacheSeata #Deserialization #infosec https://t.co/aEcLagXYFX
@pulsepatchio
28 Mar 2026
73 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-32897 (CVSS:9.8, CRITICAL) is Awaiting Analysis. Deserialization of Untrusted Data vulnerability in Apache Seata (incubating). This security vulnerability is the same a..https://t.co/kH79f3XbKK #cybersecurityawareness #cybersecurity #CVE #infosec #hacker #nvd #mitre
@cracbot
3 Jul 2025
8 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-32897 Deserialization Vulnerability in Apache Seata (Incubating... https://t.co/9yvEpmDMQJ Don't wait vulnerability scanning results: https://t.co/oh1APvMMnd
@VulmonFeeds
28 Jun 2025
83 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-32897 Deserialization of Untrusted Data vulnerability in Apache Seata (incubating). This security vulnerability is the same as CVE-2024-47552, but the version range descri… https://t.co/gvuO4WAu18
@CVEnew
28 Jun 2025
564 Impressions
0 Retweets
1 Like
1 Bookmark
0 Replies
0 Quotes
CVE-2025-32897: Apache Seata (incubating): Deserialization of untrusted Data in Apache Seata Server https://t.co/D4NLy3CFG5 the same as CVE-2024-47552, but the version range described in the CVE-2024-47552 definition is too narrow
@oss_security
28 Jun 2025
398 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:seata:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CBB1A8DC-8C4F-484E-B06B-803A2B4D6A40",
"versionEndExcluding": "2.3.0",
"versionStartIncluding": "2.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
]