CVE-2025-13805 MEDIUM

CVE-2025-13805: nutzam NutzBoot LiteRpc-Serializer HttpServletRpcEndpoint.java getInputStream deserialization

Vendor Nutzam

Product NutzBoot

Weakness CWE-502 · Unsafe deserialization

Published December 1, 2025

Last update February 24, 2026

View on NVD All CVEs

CVSS base score

6.3/10

Attack vector Network

Attack complexity High

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P

What the vulnerability does

Description

A weakness has been identified in nutzam NutzBoot up to 2.6.0-SNAPSHOT. This affects the function getInputStream of the file nutzcloud/nutzcloud-literpc/src/main/java/org/nutz/boot/starter/literpc/impl/endpoint/http/HttpServletRpcEndpoint.java of the component LiteRpc-Serializer. Executing a manipulation can lead to deserialization. The attack may be launched remotely. This attack is characterized by high complexity. The exploitability is reported as difficult. The exploit has been made available to the public and could be used for attacks.

Key dates

Disclosure timeline

December 1, 2025 CVE published

February 24, 2026 Record updated