CVE-2025-2251 MEDIUM

CVE-2025-2251: Org.jboss.eap:wildfly-ejb3: improper deserialization in jboss marshalling allows remote code execution

Vendor Red Hat

Product Red Hat JBoss Enterprise Application Platform 7.4.23

Weakness CWE-502 · Unsafe deserialization

Published April 7, 2025

Last update November 11, 2025

View on NVD All CVEs

CVSS base score

6.2/10

Attack vector Network

Attack complexity High

Privileges required High

User interaction None

Confidentiality Low

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:H/A:H

What the vulnerability does

01Description

A security flaw exists in WildFly and JBoss Enterprise Application Platform (EAP) within the Enterprise JavaBeans (EJB) remote invocation mechanism. This vulnerability stems from untrusted data deserialization handled by JBoss Marshalling. This flaw allows an attacker to send a specially crafted serialized object, leading to remote code execution without requiring authentication.

Key dates

02Disclosure timeline

April 7, 2025 CVE published

November 11, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-2251 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/502.html

Related vulnerabilities

Identifiers

CVE CVE-2025-2251

CWE CWE-502

CVSS 6.2 / MEDIUM

Affected versions

Vendor Red Hat

Product Red Hat JBoss Enterprise Application Platform 7.4.23

Affected All versions

Vendor Red Hat

Product Red Hat JBoss Enterprise Application Platform 8.0.8

Affected All versions

Vendor Red Hat

Product Red Hat JBoss Enterprise Application Platform Expansion Pack

Affected All versions

CVE-2025-2251: Org.jboss.eap:wildfly-ejb3: improper deserialization in jboss marshalling allows remote code execution

01Description

02Disclosure timeline

03References

04Related CVE