CVE-2025-15117

Summary

A weakness has been identified in Dromara Sa-Token up to 1.44.0. This affects the function ObjectInputStream.readObject of the file SaJdkSerializer.java. Executing manipulation can lead to deserialization. The attack may be launched remotely. This attack is characterized by high complexity. It is indicated that the exploitability is difficult. The vendor was contacted early about this disclosure but did not respond in any way.

Affected Software

VendorProductVersion RangeStatus
DromaraSa-Token1.0affected
DromaraSa-Token1.1affected
DromaraSa-Token1.2affected
DromaraSa-Token1.3affected
DromaraSa-Token1.4affected
DromaraSa-Token1.5affected
DromaraSa-Token1.6affected
DromaraSa-Token1.7affected
DromaraSa-Token1.8affected
DromaraSa-Token1.9affected
DromaraSa-Token1.10affected
DromaraSa-Token1.11affected
DromaraSa-Token1.12affected
DromaraSa-Token1.13affected
DromaraSa-Token1.14affected
DromaraSa-Token1.15affected
DromaraSa-Token1.16affected
DromaraSa-Token1.17affected
DromaraSa-Token1.18affected
DromaraSa-Token1.19affected
DromaraSa-Token1.20affected
DromaraSa-Token1.21affected
DromaraSa-Token1.22affected
DromaraSa-Token1.23affected
DromaraSa-Token1.24affected
DromaraSa-Token1.25affected
DromaraSa-Token1.26affected
DromaraSa-Token1.27affected
DromaraSa-Token1.28affected
DromaraSa-Token1.29affected
DromaraSa-Token1.30affected
DromaraSa-Token1.31affected
DromaraSa-Token1.32affected
DromaraSa-Token1.33affected
DromaraSa-Token1.34affected
DromaraSa-Token1.35affected
DromaraSa-Token1.36affected
DromaraSa-Token1.37affected
DromaraSa-Token1.38affected
DromaraSa-Token1.39affected
DromaraSa-Token1.40affected
DromaraSa-Token1.41affected
DromaraSa-Token1.42affected
DromaraSa-Token1.43affected
DromaraSa-Token1.44.0affected

Weaknesses

  • CWE-502: Deserialization
  • CWE-20: Improper Input Validation

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References