CVE-2025-2251 - Vulnerability Details

CVE-2025-2251 - Org.jboss.eap:wildfly-ejb3: improper deserialization in jboss marshalling allows remote code execution

A security flaw exists in WildFly and JBoss Enterprise Application Platform (EAP) within the Enterprise JavaBeans (EJB) remote invocation mechanism. This vulnerability stems from untrusted data deserialization handled by JBoss Marshalling. This flaw allows an attacker to send a specially crafted serialized object, leading to remote code execution without requiring authentication.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact total

Vendors	Products
Redhat	Jboss Enterprise Application Platform Jbosseapxp

No data.

Package	CPE	Advisory	Released Date
Red Hat JBoss Enterprise Application Platform 8.0.8
wildfly-ejb3	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2025:10459	2025-07-07T00:00:00Z
Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8
eap8-activemq-artemis-0:2.33.0-3.redhat_00017.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2025:10452	2025-07-07T00:00:00Z
eap8-apache-commons-beanutils-0:1.11.0-1.redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2025:10452	2025-07-07T00:00:00Z
eap8-apache-cxf-0:4.0.6-2.redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2025:10452	2025-07-07T00:00:00Z
eap8-apache-mime4j-0:0.8.12-1.redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2025:10452	2025-07-07T00:00:00Z
eap8-eap-product-conf-parent-0:800.8.0-1.GA_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2025:10452	2025-07-07T00:00:00Z
eap8-elytron-web-0:4.0.3-1.Final_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2025:10452	2025-07-07T00:00:00Z
eap8-fastinfoset-0:2.1.1-1.redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2025:10452	2025-07-07T00:00:00Z
eap8-hal-console-0:3.6.24-1.Final_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2025:10452	2025-07-07T00:00:00Z
eap8-hibernate-0:6.2.36-1.Final_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2025:10452	2025-07-07T00:00:00Z
eap8-httpcomponents-asyncclient-0:4.1.5-4.redhat_00006.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2025:10452	2025-07-07T00:00:00Z
eap8-jboss-remoting-0:5.0.31-1.Final_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2025:10452	2025-07-07T00:00:00Z
eap8-jbossws-cxf-0:7.3.3-1.Final_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2025:10452	2025-07-07T00:00:00Z
eap8-narayana-0:6.0.6-1.Final_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2025:10452	2025-07-07T00:00:00Z
eap8-neethi-0:3.2.1-1.redhat_00002.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2025:10452	2025-07-07T00:00:00Z
eap8-reactivex-rxjava2-0:2.2.21-3.redhat_00002.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2025:10452	2025-07-07T00:00:00Z
eap8-slf4j-0:2.0.17-1.redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2025:10452	2025-07-07T00:00:00Z
eap8-velocity-0:2.3.0-4.redhat_00010.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2025:10452	2025-07-07T00:00:00Z
eap8-wildfly-0:8.0.8-4.GA_redhat_00006.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2025:10452	2025-07-07T00:00:00Z
eap8-wildfly-elytron-0:2.2.11-1.Final_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8	RHSA-2025:10452	2025-07-07T00:00:00Z
Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9
eap8-activemq-artemis-0:2.33.0-3.redhat_00017.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2025:10453	2025-07-07T00:00:00Z
eap8-apache-commons-beanutils-0:1.11.0-1.redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2025:10453	2025-07-07T00:00:00Z
eap8-apache-cxf-0:4.0.6-2.redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2025:10453	2025-07-07T00:00:00Z
eap8-apache-mime4j-0:0.8.12-1.redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2025:10453	2025-07-07T00:00:00Z
eap8-eap-product-conf-parent-0:800.8.0-1.GA_redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2025:10453	2025-07-07T00:00:00Z
eap8-elytron-web-0:4.0.3-1.Final_redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2025:10453	2025-07-07T00:00:00Z
eap8-fastinfoset-0:2.1.1-1.redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2025:10453	2025-07-07T00:00:00Z
eap8-hal-console-0:3.6.24-1.Final_redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2025:10453	2025-07-07T00:00:00Z
eap8-hibernate-0:6.2.36-1.Final_redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2025:10453	2025-07-07T00:00:00Z
eap8-httpcomponents-asyncclient-0:4.1.5-4.redhat_00006.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2025:10453	2025-07-07T00:00:00Z
eap8-jboss-remoting-0:5.0.31-1.Final_redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2025:10453	2025-07-07T00:00:00Z
eap8-jbossws-cxf-0:7.3.3-1.Final_redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2025:10453	2025-07-07T00:00:00Z
eap8-narayana-0:6.0.6-1.Final_redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2025:10453	2025-07-07T00:00:00Z
eap8-neethi-0:3.2.1-1.redhat_00002.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2025:10453	2025-07-07T00:00:00Z
eap8-reactivex-rxjava2-0:2.2.21-3.redhat_00002.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2025:10453	2025-07-07T00:00:00Z
eap8-slf4j-0:2.0.17-1.redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2025:10453	2025-07-07T00:00:00Z
eap8-velocity-0:2.3.0-4.redhat_00010.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2025:10453	2025-07-07T00:00:00Z
eap8-wildfly-0:8.0.8-4.GA_redhat_00006.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2025:10453	2025-07-07T00:00:00Z
eap8-wildfly-elytron-0:2.2.11-1.Final_redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9	RHSA-2025:10453	2025-07-07T00:00:00Z

References

Link	Providers
https://access.redhat.com/errata/RHSA-2025:10452
https://access.redhat.com/errata/RHSA-2025:10453
https://access.redhat.com/errata/RHSA-2025:10459
https://access.redhat.com/errata/RHSA-2025:10924
https://access.redhat.com/errata/RHSA-2025:10925
https://access.redhat.com/errata/RHSA-2025:10926
https://access.redhat.com/errata/RHSA-2025:10931
https://access.redhat.com/security/cve/CVE-2025-2251
https://bugzilla.redhat.com/show_bug.cgi?id=2351678
https://nvd.nist.gov/vuln/detail/CVE-2025-2251
https://www.cve.org/CVERecord?id=CVE-2025-2251

History

Tue, 15 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.00826}`	epss `{'score': 0.01834}`

Mon, 14 Jul 2025 20:15:00 +0000

Type	Values Removed	Values Added
CPEs	~~cpe:/a:redhat:jboss_enterprise_application_platform:7~~	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7 cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8 cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9
References		https://access.redhat.com/errata/RHSA-2025:10924 https://access.redhat.com/errata/RHSA-2025:10925 https://access.redhat.com/errata/RHSA-2025:10926 https://access.redhat.com/errata/RHSA-2025:10931

Mon, 07 Jul 2025 14:15:00 +0000

Type	Values Removed	Values Added
CPEs	~~cpe:/a:redhat:jboss_enterprise_application_platform:8~~	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8 cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9
References		https://access.redhat.com/errata/RHSA-2025:10452 https://access.redhat.com/errata/RHSA-2025:10453 https://access.redhat.com/errata/RHSA-2025:10459

Tue, 08 Apr 2025 02:00:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2025-2251 https://www.cve.org/CVERecord?id=CVE-2025-2251
Metrics	threat_severity `None`	threat_severity `Moderate`

Mon, 07 Apr 2025 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Mon, 07 Apr 2025 15:30:00 +0000

Type	Values Removed	Values Added
Description		A security flaw exists in WildFly and JBoss Enterprise Application Platform (EAP) within the Enterprise JavaBeans (EJB) remote invocation mechanism. This vulnerability stems from untrusted data deserialization handled by JBoss Marshalling. This flaw allows an attacker to send a specially crafted serialized object, leading to remote code execution without requiring authentication.
Title		Org.jboss.eap:wildfly-ejb3: improper deserialization in jboss marshalling allows remote code execution
First Time appeared		Redhat Redhat jboss Enterprise Application Platform Redhat jbosseapxp
Weaknesses		CWE-502
CPEs		cpe:/a:redhat:jboss_enterprise_application_platform:7 cpe:/a:redhat:jboss_enterprise_application_platform:8 cpe:/a:redhat:jbosseapxp
Vendors & Products		Redhat Redhat jboss Enterprise Application Platform Redhat jbosseapxp
References		https://access.redhat.com/security/cve/CVE-2025-2251 https://bugzilla.redhat.com/show_bug.cgi?id=2351678
Metrics		cvssV3_1 `{'score': 6.2, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:H/A:H'}`

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2025-04-07T14:06:46.985Z

Updated: 2025-07-14T19:55:36.919Z

Reserved: 2025-03-12T13:53:37.117Z

Link: CVE-2025-2251

Vulnrichment

Updated: 2025-04-07T14:18:38.922Z

NVD

Status : Awaiting Analysis

Published: 2025-04-07T14:15:24.400

Modified: 2025-07-14T20:15:26.890

Link: CVE-2025-2251

Redhat

Severity : Moderate

Publid Date: 2025-04-07T00:00:00Z

Links: CVE-2025-2251 - Bugzilla

Metrics

Attack Vector Network

Attack Complexity High

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact total

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object