CVE-2025-53606

Published Aug 8, 2025

Last updated 7 months ago

CVSS critical 9.8

Overview

Description
Deserialization of Untrusted Data vulnerability in Apache Seata (incubating). This issue affects Apache Seata (incubating): 2.4.0. Users are recommended to upgrade to version 2.5.0, which fixes the issue.
Source
security@apache.org
NVD status
Analyzed
Products
seata

Risk scores

CVSS 3.1

Type
Secondary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

security@apache.org
CWE-502

Social media

Hype score
Not currently trending

  1. CVE-2025-53606 (CVSS:9.8, CRITICAL) is Analyzed. Deserialization of Untrusted Data vulnerability in Apache Seata (incubating). This issue affects Apache Seata (incubati..https://t.co/q9yJ5XhoN6 #cybersecurityawareness #cybersecurity #CVE #infosec #hacker #nvd #mitre

    @cracbot

    13 Aug 2025

    8 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. 🚨 CRITICAL: Apache Seata 2.4.0 hit by deserialization flaw (CVE-2025-53606) — attackers could execute arbitrary code! Upgrade to 2.5.0 ASAP. Protect your distributed transactions. Details: https://t.co/vtWpmiauZ9... https://t.co/ug1y9X2uGX

    @offseq

    8 Aug 2025

    56 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  3. CVE-2025-53606 Deserialization of Untrusted Data vulnerability in Apache Seata (incubating). This issue affects Apache Seata (incubating): 2.4.0. Users are recommended to upgrade … https://t.co/wNNKtI0N1m

    @CVEnew

    8 Aug 2025

    444 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. CVE-2025-53606 CVE-2025-53606 https://t.co/D27trpelm7

    @VulmonFeeds

    7 Aug 2025

    15 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. CVE-2025-53606: Apache Seata (incubating): Deserialization of untrusted Data in Apache Seata Server https://t.co/GFJJNRjjf7

    @oss_security

    7 Aug 2025

    265 Impressions

    0 Retweets

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. Deserialization of Untrusted Data vulnerability in Apache Seata (incubating). This security vulnerability is the same as CVE-2024-47552, but the version range described in the CVE-2024-47552 definition is too narrow. This issue affects Apache Seata (incubating): from 2.0.0 before 2.3.0. Users are recommended to upgrade to version 2.3.0, which fixes the issue.CVE-2025-32897
  2. Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in Apache Seata (incubating). This issue affects Apache Seata (incubating): through <=2.2.0. Users are recommended to upgrade to version 2.3.0, which fixes the issue.CVE-2024-54016
  3. Deserialization of Untrusted Data vulnerability in Apache Seata (incubating). This issue affects Apache Seata (incubating): from 2.0.0 before 2.2.0. Users are recommended to upgrade to version 2.2.0, which fixes the issue.CVE-2024-47552
  4. Deserialization of Untrusted Data vulnerability in Apache Seata.  When developers disable authentication on the Seata-Server and do not use the Seata client SDK dependencies, they may construct uncontrolled serialized malicious requests by directly sending bytecode based on the Seata private protocol. This issue affects Apache Seata: 2.0.0, from 1.0.0 through 1.8.0. Users are recommended to upgrade to version 2.1.0/1.8.1, which fixes the issue.CVE-2024-22399

References

Sources include official advisories and independent security research.