CVE-2025-2251

Org.jboss.eap:wildfly-ejb3: improper deserialization in jboss marshalling allows remote code execution

Description

A security flaw exists in WildFly and JBoss Enterprise Application Platform (EAP) within the Enterprise JavaBeans (EJB) remote invocation mechanism. This vulnerability stems from untrusted data deserialization handled by JBoss Marshalling. This flaw allows an attacker to send a specially crafted serialized object, leading to remote code execution without requiring authentication.

References

Link	Tags
https://access.redhat.com/errata/RHSA-2025:10452	vendor advisory
https://access.redhat.com/errata/RHSA-2025:10453	vendor advisory
https://access.redhat.com/errata/RHSA-2025:10459	vendor advisory
https://access.redhat.com/security/cve/CVE-2025-2251	vdb entry
https://bugzilla.redhat.com/show_bug.cgi?id=2351678	issue tracking

Frequently Asked Questions

What is the severity of CVE-2025-2251?: CVE-2025-2251 has been scored as a medium severity vulnerability.
How to fix CVE-2025-2251?: To fix CVE-2025-2251, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2025-2251 being actively exploited in the wild?: As for now, there are no information to confirm that CVE-2025-2251 is being actively exploited. According to its EPSS score, there is a ~1% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2025-2251?: CVE-2025-2251 affects Red Hat Red Hat JBoss Enterprise Application Platform 8.0.8, Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8, Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8, Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8, Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8, Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8, Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8, Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8, Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8, Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8, Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8, Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8, Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8, Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8, Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8, Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8, Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8, Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8, Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8, Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8, Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9, Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9, Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9, Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9, Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9, Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9, Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9, Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9, Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9, Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9, Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9, Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9, Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9, Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9, Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9, Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9, Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9, Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9, Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9, Red Hat Red Hat JBoss Enterprise Application Platform 7, Red Hat Red Hat JBoss Enterprise Application Platform Expansion Pack.

Description

Category

CWE-502 – Deserialization of Untrusted Data

References

Frequently Asked Questions