Deserialization Of Untrusted Data

Apache Causeway is vulnerable to Deserialization Of Untrusted Data. The vulnerability is due to unsafe Java deserialization of user-controllable URL parameters in ViewModel handling, which allows an authenticated attacker to execute arbitrary code with application privileges...

Apache Causeway Deserialization Vulnerability

Apache Causeway is the Apache Foundation of a Java rapid application development framework . Apache Causeway suffers from a deserialization vulnerability that originates from unsafe deserialization of user-controllable URL parameters in the receipt of serialized data submitted by the user, which...

CVE-2025-64408

Apache Causeway faces Java deserialization vulnerabilities that allow remote code execution RCE through user-controllable URL parameters. These vulnerabilities affect all applications using Causeway's ViewModel functionality and can be exploited by authenticated attackers to execute arbitrary cod...

dev.savantly.nexus:agents-module (=3.4.0), dev.savantly.nexus:common-types-module (=3.4.0) +152 more potentially affected by CVE-2025-64408 via org.apache.causeway.core:causeway-applib (>=2.0.0-RC1 <=3.4.0)

org.apache.causeway.core:causeway-applib MAVEN version =2.0.0-RC1, =3.4.0 is affected by a known vulnerability. The following packages have a transitive dependency on org.apache.causeway.core:causeway-applib and may be impacted: - dev.savantly.nexus:agents-module =3.4.0 -...

dev.savantly.nexus:agents-module (=3.4.0), dev.savantly.nexus:common-types-module (=3.4.0) +156 more potentially affected by CVE-2025-64408 via org.apache.causeway.commons:causeway-commons (>=2.0.0-RC1 <=3.4.0)

org.apache.causeway.commons:causeway-commons MAVEN version =2.0.0-RC1, =3.4.0 is affected by a known vulnerability. The following packages have a transitive dependency on org.apache.causeway.commons:causeway-commons and may be impacted: - dev.savantly.nexus:agents-module =3.4.0 -...

Apache Causeway vulnerable to deserialization in Java

Apache Causeway faces Java deserialization vulnerabilities that allow remote code execution RCE through user-controllable URL parameters. These vulnerabilities affect all applications using Causeway's ViewModel functionality and can be exploited by authenticated attackers to execute arbitrary cod...

EUVD-2025-198152

Apache Causeway vulnerable to deserialization in Java...

GHSA-WQ4C-57MH-5F7G Apache Causeway vulnerable to deserialization in Java

Apache Causeway faces Java deserialization vulnerabilities that allow remote code execution RCE through user-controllable URL parameters. These vulnerabilities affect all applications using Causeway's ViewModel functionality and can be exploited by authenticated attackers to execute arbitrary cod...

CVE-2025-64408

Apache Causeway faces Java deserialization vulnerabilities that allow remote code execution RCE through user-controllable URL parameters. These vulnerabilities affect all applications using Causeway's ViewModel functionality and can be exploited by authenticated attackers to execute arbitrary cod...

org.apache.causeway.core:causeway-applib (=4.0.0-M1), org.apache.causeway.core:causeway-core-codegen-bytebuddy (=4.0.0-M1) +107 more potentially affected by CVE-2025-64408 via org.apache.causeway.commons:causeway-commons (=4.0.0-M1)

org.apache.causeway.commons:causeway-commons MAVEN version =4.0.0-M1 is affected by a known vulnerability. The following packages have a transitive dependency on org.apache.causeway.commons:causeway-commons and may be impacted: - org.apache.causeway.core:causeway-applib =4.0.0-M1 -...

dev.savantly.nexus:agents-module (=3.4.0), dev.savantly.nexus:common-types-module (=3.4.0) +152 more potentially affected by CVE-2025-64408 via org.apache.causeway.core:causeway-applib (>=2.0.0-RC1 <=3.4.0)

org.apache.causeway.core:causeway-applib MAVEN version =2.0.0-RC1, =3.4.0 is affected by a known vulnerability. The following packages have a transitive dependency on org.apache.causeway.core:causeway-applib and may be impacted: - dev.savantly.nexus:agents-module =3.4.0 -...

org.apache.causeway.mavendeps:causeway-mavendeps-webapp (=4.0.0-M1) potentially affected by CVE-2025-64408 via org.apache.causeway.viewer:causeway-viewer-wicket-viewer (=4.0.0-M1)

org.apache.causeway.viewer:causeway-viewer-wicket-viewer MAVEN version =4.0.0-M1 is affected by a known vulnerability. The following packages have a transitive dependency on org.apache.causeway.viewer:causeway-viewer-wicket-viewer and may be impacted: -...

org.apache.causeway.core:causeway-core-interaction (=4.0.0-M1), org.apache.causeway.core:causeway-core-metamodel (=4.0.0-M1) +93 more potentially affected by CVE-2025-64408 via org.apache.causeway.core:causeway-core-config (=4.0.0-M1)

org.apache.causeway.core:causeway-core-config MAVEN version =4.0.0-M1 is affected by a known vulnerability. The following packages have a transitive dependency on org.apache.causeway.core:causeway-core-config and may be impacted: - org.apache.causeway.core:causeway-core-interaction =4.0.0-M1 -...

dev.savantly.nexus:agents-module (=3.4.0), dev.savantly.nexus:common-types-module (=3.4.0) +156 more potentially affected by CVE-2025-64408 via org.apache.causeway.commons:causeway-commons (>=2.0.0-RC1 <=3.4.0)

org.apache.causeway.commons:causeway-commons MAVEN version =2.0.0-RC1, =3.4.0 is affected by a known vulnerability. The following packages have a transitive dependency on org.apache.causeway.commons:causeway-commons and may be impacted: - dev.savantly.nexus:agents-module =3.4.0 -...

org.apache.causeway.core:causeway-core-config (=4.0.0-M1), org.apache.causeway.core:causeway-core-interaction (=4.0.0-M1) +105 more potentially affected by CVE-2025-64408 via org.apache.causeway.core:causeway-applib (=4.0.0-M1)

org.apache.causeway.core:causeway-applib MAVEN version =4.0.0-M1 is affected by a known vulnerability. The following packages have a transitive dependency on org.apache.causeway.core:causeway-applib and may be impacted: - org.apache.causeway.core:causeway-core-config =4.0.0-M1 -...

dev.savantly.nexus:agents-module (=3.4.0), dev.savantly.nexus:flow-module (=3.4.0) +43 more potentially affected by CVE-2025-64408 via org.apache.causeway.core:causeway-core-runtimeservices (>=2.0.0-RC1 <=3.4.0)

org.apache.causeway.core:causeway-core-runtimeservices MAVEN version =2.0.0-RC1, =3.4.0 is affected by a known vulnerability. The following packages have a transitive dependency on org.apache.causeway.core:causeway-core-runtimeservices and may be impacted: - dev.savantly.nexus:agents-module =3.4....

dev.savantly.nexus:agents-module (=3.4.0), dev.savantly.nexus:flow-module (=3.4.0) +129 more potentially affected by CVE-2025-64408 via org.apache.causeway.core:causeway-core-metamodel (>=2.0.0-RC1 <=3.4.0)

org.apache.causeway.core:causeway-core-metamodel MAVEN version =2.0.0-RC1, =3.4.0 is affected by a known vulnerability. The following packages have a transitive dependency on org.apache.causeway.core:causeway-core-metamodel and may be impacted: - dev.savantly.nexus:agents-module =3.4.0 -...

org.apache.causeway.core:causeway-core-interaction (=4.0.0-M1), org.apache.causeway.core:causeway-core-runtime (=4.0.0-M1) +87 more potentially affected by CVE-2025-64408 via org.apache.causeway.core:causeway-core-metamodel (=4.0.0-M1)

org.apache.causeway.core:causeway-core-metamodel MAVEN version =4.0.0-M1 is affected by a known vulnerability. The following packages have a transitive dependency on org.apache.causeway.core:causeway-core-metamodel and may be impacted: - org.apache.causeway.core:causeway-core-interaction =4.0.0-M...

dev.savantly.nexus:agents-module (=3.4.0), dev.savantly.nexus:flow-module (=3.4.0) +135 more potentially affected by CVE-2025-64408 via org.apache.causeway.core:causeway-core-config (>=2.0.0-RC1 <=3.4.0)

org.apache.causeway.core:causeway-core-config MAVEN version =2.0.0-RC1, =3.4.0 is affected by a known vulnerability. The following packages have a transitive dependency on org.apache.causeway.core:causeway-core-config and may be impacted: - dev.savantly.nexus:agents-module =3.4.0 -...

dev.savantly.nexus:nexus-command-webapp (=3.4.0), org.apache.causeway.mavendeps:causeway-mavendeps-webapp (>=2.0.0 <=3.4.0) potentially affected by CVE-2025-64408 via org.apache.causeway.viewer:causeway-viewer-wicket-viewer (>=2.0.0-RC1 <=3.4.0)

org.apache.causeway.viewer:causeway-viewer-wicket-viewer MAVEN version =2.0.0-RC1, =2.0.0, =3.4.0 Source cves: CVE-2025-64408 Source advisory: SNYK:JAVA-ORGAPACHECAUSEWAYVIEWER-14052594...