CVE-2025-66214 HIGH

CVE-2025-66214: Ladybug has an XMLDecoder Deserialization Vulnerability (Java RCE)

Vendor Wearefrank

Product ladybug

Weakness CWE-502 · Unsafe deserialization

Published December 9, 2025

Last update December 9, 2025

View on NVD All CVEs

CVSS base score

7.0/10

Attack vector Local

Attack complexity High

Privileges required Low

User interaction None

Confidentiality High

Integrity Low

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L

What the vulnerability does

Description

Ladybug adds message-based debugging, unit, system, and regression testing to Java applications. Versions prior to 3.0-20251107.114628 contain the APIs /iaf/ladybug/api/report/{storage} and /iaf/ladybug/api/report/upload, which allow uploading gzip-compressed XML files with user-controllable content. The system deserializes these XML files, enabling attackers to achieve Remote Code Execution (RCE) by submitting carefully crafted XML payloads and thereby gain access to the target server. This issue is fixed in version 3.0-20251107.114628.

Key dates

Disclosure timeline

December 9, 2025 CVE published

December 9, 2025 Record updated