CVE-2025-32897

Published Jun 28, 2025

Last updated 8 months ago

CVSS critical 9.8

Overview

Description
Deserialization of Untrusted Data vulnerability in Apache Seata (incubating). This security vulnerability is the same as CVE-2024-47552, but the version range described in the CVE-2024-47552 definition is too narrow. This issue affects Apache Seata (incubating): from 2.0.0 before 2.3.0. Users are recommended to upgrade to version 2.3.0, which fixes the issue.
Source
security@apache.org
NVD status
Analyzed
Products
seata

Risk scores

CVSS 3.1

Type
Secondary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

security@apache.org
CWE-502

Social media

Hype score
Not currently trending

  1. CVE-2025-32897 (CVSS:9.8, CRITICAL) is Awaiting Analysis. Deserialization of Untrusted Data vulnerability in Apache Seata (incubating). This security vulnerability is the same a..https://t.co/kH79f3XbKK #cybersecurityawareness #cybersecurity #CVE #infosec #hacker #nvd #mitre

    @cracbot

    3 Jul 2025

    8 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. CVE-2025-32897 Deserialization Vulnerability in Apache Seata (Incubating... https://t.co/9yvEpmDMQJ Don't wait vulnerability scanning results: https://t.co/oh1APvMMnd

    @VulmonFeeds

    28 Jun 2025

    83 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  3. CVE-2025-32897 Deserialization of Untrusted Data vulnerability in Apache Seata (incubating). This security vulnerability is the same as CVE-2024-47552, but the version range descri… https://t.co/gvuO4WAu18

    @CVEnew

    28 Jun 2025

    564 Impressions

    0 Retweets

    1 Like

    1 Bookmark

    0 Replies

    0 Quotes

  4. CVE-2025-32897: Apache Seata (incubating): Deserialization of untrusted Data in Apache Seata Server https://t.co/D4NLy3CFG5 the same as CVE-2024-47552, but the version range described in the CVE-2024-47552 definition is too narrow

    @oss_security

    28 Jun 2025

    398 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. Deserialization of Untrusted Data vulnerability in Apache Seata (incubating). This issue affects Apache Seata (incubating): 2.4.0. Users are recommended to upgrade to version 2.5.0, which fixes the issue.CVE-2025-53606
  2. Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in Apache Seata (incubating). This issue affects Apache Seata (incubating): through <=2.2.0. Users are recommended to upgrade to version 2.3.0, which fixes the issue.CVE-2024-54016
  3. Deserialization of Untrusted Data vulnerability in Apache Seata (incubating). This issue affects Apache Seata (incubating): from 2.0.0 before 2.2.0. Users are recommended to upgrade to version 2.2.0, which fixes the issue.CVE-2024-47552
  4. Deserialization of Untrusted Data vulnerability in Apache Seata.  When developers disable authentication on the Seata-Server and do not use the Seata client SDK dependencies, they may construct uncontrolled serialized malicious requests by directly sending bytecode based on the Seata private protocol. This issue affects Apache Seata: 2.0.0, from 1.0.0 through 1.8.0. Users are recommended to upgrade to version 2.1.0/1.8.1, which fixes the issue.CVE-2024-22399

References

Sources include official advisories and independent security research.