CVE-2025-2251

Source
https://cve.org/CVERecord?id=CVE-2025-2251
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-2251.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-2251
Downstream
Published
2025-04-07T14:06:46.985Z
Modified
2026-06-27T12:00:31.515334897Z
Severity
  • 6.2 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:H/A:H CVSS Calculator
Summary
Org.jboss.eap:wildfly-ejb3: improper deserialization in jboss marshalling allows remote code execution
Details

A security flaw exists in WildFly and JBoss Enterprise Application Platform (EAP) within the Enterprise JavaBeans (EJB) remote invocation mechanism. This vulnerability stems from untrusted data deserialization handled by JBoss Marshalling. This flaw allows an attacker to send a specially crafted serialized object, leading to remote code execution without requiring authentication.

Database specific
{
    "cna_assigner": "redhat",
    "cwe_ids": [
        "CWE-502"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/2xxx/CVE-2025-2251.json"
}
References

Affected packages

Git / github.com/wildfly/wildfly

Affected ranges

Type
GIT
Repo
https://github.com/wildfly/wildfly
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "36.0.0"
        }
    ]
}

Affected versions

10.*
10.0.0.Alpha1
10.0.0.Alpha2
10.0.0.Alpha3
10.0.0.Alpha4
10.0.0.Alpha5
10.0.0.Alpha6
10.0.0.Beta1
10.0.0.Beta2
10.0.0.CR1
10.0.0.CR2
10.0.0.CR3
10.0.0.CR4
10.0.0.CR5
10.0.0.Final
11.*
11.0.0.CR1
11.0.0.Final
12.*
12.0.0.Beta1
12.0.0.CR1
12.0.0.Final
13.*
13.0.0.Beta1
14.*
14.0.0.Beta1
14.0.0.Beta2
14.0.0.Final
15.*
15.0.0.Beta1
15.0.0.Final
16.*
16.0.0.Beta1
16.0.0.Final
17.*
17.0.0.Alpha1
17.0.0.Beta1
17.0.0.Final
18.*
18.0.0.Beta1
18.0.0.Final
19.*
19.0.0.Beta1
19.0.0.Beta2
20.*
20.0.0.Beta1
20.0.0.Final
21.*
21.0.0.Beta1
21.0.0.Final
22.*
22.0.0.Alpha1
22.0.0.Beta1
22.0.0.Final
23.*
23.0.0.Beta1
23.0.0.Final
24.*
24.0.0.Beta1
25.*
25.0.0.Beta1
25.0.0.Final
26.*
26.0.0.Beta1
27.*
27.0.0.Alpha1
27.0.0.Alpha2
27.0.0.Alpha3
27.0.0.Alpha4
27.0.0.Beta1
28.*
28.0.0.Beta1
28.0.0.Final
29.*
29.0.0.Alpha1
29.0.0.Beta1
29.0.0.Final
30.*
30.0.0.Beta1
30.0.0.Final
31.*
31.0.0.Beta1
31.0.0.Final
32.*
32.0.0.Beta1
32.0.0.Final
33.*
33.0.0.Beta1
34.*
34.0.0.Beta1
34.0.0.Final
35.*
35.0.0.Beta1
35.0.0.Final
36.*
36.0.0.Beta1
7.*
7.0.0.Alpha1
7.0.0.Alpha1-final
7.0.0.Beta1-prerelease
7.0.0.Beta2
7.0.0.Beta2-prerelease
7.0.0.Beta3
7.0.0.CR1
7.0.0.Final
7.0.0.Final-prerelease
7.0.0.Final-prerelease2
7.0.0.Final-prerelease3
7.1.0.Alpha1
7.1.0.Beta1
7.1.0.CR1
7.1.0.Final
7.1.0.Final-prerelease
7.1.0.Final-prerelease2
7.1.1.Final
7.1.2-prerelease
7.1.2.Final
7.2.0.Final
7.2.0.Final-prerelease1
8.*
8.0.0.Alpha1
8.0.0.Alpha2
8.0.0.Alpha3
8.0.0.Alpha4
8.0.0.Beta1
8.0.0.CR1
8.0.0.Final
8.1.0.CR1
8.1.0.CR2
9.*
9.0.0.Beta1
9.0.0.Beta2
9.0.0.CR1
Other
Pre_EE10_Big_Bang

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-2251.json"