CVE-2025-2251

Summary

A security flaw exists in WildFly and JBoss Enterprise Application Platform (EAP) within the Enterprise JavaBeans (EJB) remote invocation mechanism. This vulnerability stems from untrusted data deserialization handled by JBoss Marshalling. This flaw allows an attacker to send a specially crafted serialized object, leading to remote code execution without requiring authentication.

Affected Software

VendorProductVersion RangeStatus
0 < 36.0.0affected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 for RHEL 80:2.16.0-21.redhat_00055.1.el8eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 for RHEL 80:3.5.10-1.redhat_00001.1.el8eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 for RHEL 81:1.0.2-5.redhat_00004.1.el8eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 for RHEL 80:1.9.6-1.Final_redhat_00001.1.el8eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 for RHEL 80:2.3.14-9.SP10_redhat_00001.1.el8eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 for RHEL 80:3.3.27-1.Final_redhat_00001.1.el8eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 for RHEL 80:6.0.23-3.SP2_redhat_00001.1.el8eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 for RHEL 80:1.5.21-1.Final_redhat_00001.1.el8eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 for RHEL 80:1.10.0-42.Final_redhat_00042.1.el8eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 for RHEL 80:5.4.15-1.Final_redhat_00001.1.el8eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 for RHEL 80:7.4.23-3.GA_redhat_00002.1.el8eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 for RHEL 80:1.15.26-1.Final_redhat_00001.1.el8eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 for RHEL 90:2.16.0-21.redhat_00055.1.el9eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 for RHEL 90:3.5.10-1.redhat_00001.1.el9eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 for RHEL 91:1.0.2-5.redhat_00004.1.el9eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 for RHEL 90:1.9.6-1.Final_redhat_00001.1.el9eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 for RHEL 90:2.3.14-9.SP10_redhat_00001.1.el9eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 for RHEL 90:3.3.27-1.Final_redhat_00001.1.el9eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 for RHEL 90:6.0.23-3.SP2_redhat_00001.1.el9eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 for RHEL 90:1.5.21-1.Final_redhat_00001.1.el9eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 for RHEL 90:1.10.0-42.Final_redhat_00042.1.el9eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 for RHEL 90:5.4.15-1.Final_redhat_00001.1.el9eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 for RHEL 90:7.4.23-3.GA_redhat_00002.1.el9eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 for RHEL 90:1.15.26-1.Final_redhat_00001.1.el9eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 on RHEL 70:2.16.0-21.redhat_00055.1.el7eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 on RHEL 70:3.5.10-1.redhat_00001.1.el7eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 on RHEL 71:1.0.2-5.redhat_00004.1.el7eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 on RHEL 70:1.9.6-1.Final_redhat_00001.1.el7eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 on RHEL 70:2.3.14-9.SP10_redhat_00001.1.el7eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 on RHEL 70:3.3.27-1.Final_redhat_00001.1.el7eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 on RHEL 70:6.0.23-3.SP2_redhat_00001.1.el7eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 on RHEL 70:1.5.21-1.Final_redhat_00001.1.el7eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 on RHEL 70:1.10.0-42.Final_redhat_00042.1.el7eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 on RHEL 70:5.4.15-1.Final_redhat_00001.1.el7eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 on RHEL 70:7.4.23-3.GA_redhat_00002.1.el7eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 7.4 on RHEL 70:1.15.26-1.Final_redhat_00001.1.el7eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 8.0 for RHEL 80:2.33.0-3.redhat_00017.1.el8eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 8.0 for RHEL 80:1.11.0-1.redhat_00001.1.el8eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 8.0 for RHEL 80:4.0.6-2.redhat_00001.1.el8eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 8.0 for RHEL 80:0.8.12-1.redhat_00001.1.el8eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 8.0 for RHEL 80:800.8.0-1.GA_redhat_00001.1.el8eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 8.0 for RHEL 80:4.0.3-1.Final_redhat_00001.1.el8eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 8.0 for RHEL 80:2.1.1-1.redhat_00001.1.el8eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 8.0 for RHEL 80:3.6.24-1.Final_redhat_00001.1.el8eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 8.0 for RHEL 80:6.2.36-1.Final_redhat_00001.1.el8eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 8.0 for RHEL 80:4.1.5-4.redhat_00006.1.el8eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 8.0 for RHEL 80:5.0.31-1.Final_redhat_00001.1.el8eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 8.0 for RHEL 80:7.3.3-1.Final_redhat_00001.1.el8eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 8.0 for RHEL 80:6.0.6-1.Final_redhat_00001.1.el8eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 8.0 for RHEL 80:3.2.1-1.redhat_00002.1.el8eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 8.0 for RHEL 80:2.2.21-3.redhat_00002.1.el8eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 8.0 for RHEL 80:2.0.17-1.redhat_00001.1.el8eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 8.0 for RHEL 80:2.3.0-4.redhat_00010.1.el8eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 8.0 for RHEL 80:8.0.8-4.GA_redhat_00006.1.el8eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 8.0 for RHEL 80:2.2.11-1.Final_redhat_00001.1.el8eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 8.0 for RHEL 90:2.33.0-3.redhat_00017.1.el9eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 8.0 for RHEL 90:1.11.0-1.redhat_00001.1.el9eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 8.0 for RHEL 90:4.0.6-2.redhat_00001.1.el9eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 8.0 for RHEL 90:0.8.12-1.redhat_00001.1.el9eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 8.0 for RHEL 90:800.8.0-1.GA_redhat_00001.1.el9eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 8.0 for RHEL 90:4.0.3-1.Final_redhat_00001.1.el9eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 8.0 for RHEL 90:2.1.1-1.redhat_00001.1.el9eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 8.0 for RHEL 90:3.6.24-1.Final_redhat_00001.1.el9eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 8.0 for RHEL 90:6.2.36-1.Final_redhat_00001.1.el9eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 8.0 for RHEL 90:4.1.5-4.redhat_00006.1.el9eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 8.0 for RHEL 90:5.0.31-1.Final_redhat_00001.1.el9eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 8.0 for RHEL 90:7.3.3-1.Final_redhat_00001.1.el9eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 8.0 for RHEL 90:6.0.6-1.Final_redhat_00001.1.el9eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 8.0 for RHEL 90:3.2.1-1.redhat_00002.1.el9eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 8.0 for RHEL 90:2.2.21-3.redhat_00002.1.el9eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 8.0 for RHEL 90:2.0.17-1.redhat_00001.1.el9eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 8.0 for RHEL 90:2.3.0-4.redhat_00010.1.el9eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 8.0 for RHEL 90:8.0.8-4.GA_redhat_00006.1.el9eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 8.0 for RHEL 90:2.2.11-1.Final_redhat_00001.1.el9eap < *unaffected

Weaknesses

  • CWE-502: Deserialization of Untrusted Data

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: total

References