CVE-2025-32897

Published Jun 28, 2025

Last updated 2 months ago

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-32897 is a deserialization of untrusted data vulnerability affecting Apache Seata. Specifically, it impacts versions 2.0.0 prior to 2.3.0. Users are recommended to upgrade to version 2.3.0 to address the issue. This vulnerability is similar to CVE-2024-47552 but applies to a broader range of Apache Seata versions. The vulnerability exists because the software deserializes untrusted data without sufficiently verifying its validity.

Description: Deserialization of Untrusted Data vulnerability in Apache Seata (incubating). This security vulnerability is the same as CVE-2024-47552, but the version range described in the CVE-2024-47552 definition is too narrow. This issue affects Apache Seata (incubating): from 2.0.0 before 2.3.0. Users are recommended to upgrade to version 2.3.0, which fixes the issue.
Source: security@apache.org
NVD status: Analyzed
Products: seata

Risk scores

CVSS 3.1

Type: Secondary
Base score: 9.8
Impact score: 5.9
Exploitability score: 3.9
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity: CRITICAL

Weaknesses

security@apache.org: CWE-502

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:apache:seata:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "CBB1A8DC-8C4F-484E-B06B-803A2B4D6A40",
            "versionEndExcluding": "2.3.0",
            "versionStartIncluding": "2.0.0"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

References

Sources include official advisories and independent security research.