CVE-2025-2251
6.2
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:H/A:H
Summary
A security flaw exists in WildFly and JBoss Enterprise Application Platform (EAP) within the Enterprise JavaBeans (EJB) remote invocation mechanism. This vulnerability stems from untrusted data deserialization handled by JBoss Marshalling. This flaw allows an attacker to send a specially crafted serialized object, leading to remote code execution without requiring authentication.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
0 < 36.0.0 | affected | ||
| Red Hat | Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 | 0:2.16.0-21.redhat_00055.1.el8eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 | 0:3.5.10-1.redhat_00001.1.el8eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 | 1:1.0.2-5.redhat_00004.1.el8eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 | 0:1.9.6-1.Final_redhat_00001.1.el8eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 | 0:2.3.14-9.SP10_redhat_00001.1.el8eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 | 0:3.3.27-1.Final_redhat_00001.1.el8eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 | 0:6.0.23-3.SP2_redhat_00001.1.el8eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 | 0:1.5.21-1.Final_redhat_00001.1.el8eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 | 0:1.10.0-42.Final_redhat_00042.1.el8eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 | 0:5.4.15-1.Final_redhat_00001.1.el8eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 | 0:7.4.23-3.GA_redhat_00002.1.el8eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 | 0:1.15.26-1.Final_redhat_00001.1.el8eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9 | 0:2.16.0-21.redhat_00055.1.el9eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9 | 0:3.5.10-1.redhat_00001.1.el9eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9 | 1:1.0.2-5.redhat_00004.1.el9eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9 | 0:1.9.6-1.Final_redhat_00001.1.el9eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9 | 0:2.3.14-9.SP10_redhat_00001.1.el9eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9 | 0:3.3.27-1.Final_redhat_00001.1.el9eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9 | 0:6.0.23-3.SP2_redhat_00001.1.el9eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9 | 0:1.5.21-1.Final_redhat_00001.1.el9eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9 | 0:1.10.0-42.Final_redhat_00042.1.el9eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9 | 0:5.4.15-1.Final_redhat_00001.1.el9eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9 | 0:7.4.23-3.GA_redhat_00002.1.el9eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9 | 0:1.15.26-1.Final_redhat_00001.1.el9eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 | 0:2.16.0-21.redhat_00055.1.el7eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 | 0:3.5.10-1.redhat_00001.1.el7eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 | 1:1.0.2-5.redhat_00004.1.el7eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 | 0:1.9.6-1.Final_redhat_00001.1.el7eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 | 0:2.3.14-9.SP10_redhat_00001.1.el7eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 | 0:3.3.27-1.Final_redhat_00001.1.el7eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 | 0:6.0.23-3.SP2_redhat_00001.1.el7eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 | 0:1.5.21-1.Final_redhat_00001.1.el7eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 | 0:1.10.0-42.Final_redhat_00042.1.el7eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 | 0:5.4.15-1.Final_redhat_00001.1.el7eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 | 0:7.4.23-3.GA_redhat_00002.1.el7eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 | 0:1.15.26-1.Final_redhat_00001.1.el7eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8 | 0:2.33.0-3.redhat_00017.1.el8eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8 | 0:1.11.0-1.redhat_00001.1.el8eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8 | 0:4.0.6-2.redhat_00001.1.el8eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8 | 0:0.8.12-1.redhat_00001.1.el8eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8 | 0:800.8.0-1.GA_redhat_00001.1.el8eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8 | 0:4.0.3-1.Final_redhat_00001.1.el8eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8 | 0:2.1.1-1.redhat_00001.1.el8eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8 | 0:3.6.24-1.Final_redhat_00001.1.el8eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8 | 0:6.2.36-1.Final_redhat_00001.1.el8eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8 | 0:4.1.5-4.redhat_00006.1.el8eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8 | 0:5.0.31-1.Final_redhat_00001.1.el8eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8 | 0:7.3.3-1.Final_redhat_00001.1.el8eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8 | 0:6.0.6-1.Final_redhat_00001.1.el8eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8 | 0:3.2.1-1.redhat_00002.1.el8eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8 | 0:2.2.21-3.redhat_00002.1.el8eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8 | 0:2.0.17-1.redhat_00001.1.el8eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8 | 0:2.3.0-4.redhat_00010.1.el8eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8 | 0:8.0.8-4.GA_redhat_00006.1.el8eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8 | 0:2.2.11-1.Final_redhat_00001.1.el8eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9 | 0:2.33.0-3.redhat_00017.1.el9eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9 | 0:1.11.0-1.redhat_00001.1.el9eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9 | 0:4.0.6-2.redhat_00001.1.el9eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9 | 0:0.8.12-1.redhat_00001.1.el9eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9 | 0:800.8.0-1.GA_redhat_00001.1.el9eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9 | 0:4.0.3-1.Final_redhat_00001.1.el9eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9 | 0:2.1.1-1.redhat_00001.1.el9eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9 | 0:3.6.24-1.Final_redhat_00001.1.el9eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9 | 0:6.2.36-1.Final_redhat_00001.1.el9eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9 | 0:4.1.5-4.redhat_00006.1.el9eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9 | 0:5.0.31-1.Final_redhat_00001.1.el9eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9 | 0:7.3.3-1.Final_redhat_00001.1.el9eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9 | 0:6.0.6-1.Final_redhat_00001.1.el9eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9 | 0:3.2.1-1.redhat_00002.1.el9eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9 | 0:2.2.21-3.redhat_00002.1.el9eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9 | 0:2.0.17-1.redhat_00001.1.el9eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9 | 0:2.3.0-4.redhat_00010.1.el9eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9 | 0:8.0.8-4.GA_redhat_00006.1.el9eap < * | unaffected |
| Red Hat | Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9 | 0:2.2.11-1.Final_redhat_00001.1.el9eap < * | unaffected |
Weaknesses
- CWE-502: Deserialization of Untrusted Data
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: total
References
- https://access.redhat.com/errata/RHSA-2025:10452
- https://access.redhat.com/errata/RHSA-2025:10453
- https://access.redhat.com/errata/RHSA-2025:10459
- https://access.redhat.com/errata/RHSA-2025:10924
- https://access.redhat.com/errata/RHSA-2025:10925
- https://access.redhat.com/errata/RHSA-2025:10926
- https://access.redhat.com/errata/RHSA-2025:10931
- https://access.redhat.com/security/cve/CVE-2025-2251
- https://bugzilla.redhat.com/show_bug.cgi?id=2351678
- https://github.com/wildfly/wildfly/pull/18872
- https://github.com/wildfly/wildfly/releases/tag/36.0.0.Final
- https://issues.redhat.com/browse/WFLY-20550
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.