CVE-2025-30285

HIGH Year: 2025
CVSS v3 Score
8.4
High
Weakness Type
CWE-502
View all →

Vulnerability Description

ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. A high-privileged attacker could leverage this vulnerability to bypass security protections and execute code. Exploitation of this issue requires user interaction and scope is changed.

Related Vulnerabilities

CVE-2018-9474

HIGH
CVSS:8.4(High)

In writeToParcel of MediaPlayer.java, there is a possible serialization/deserialization mismatch due to improper input validation. This could lead to local escalation of privilege with no additional e...

CWE-5022018

CVE-2025-30284

HIGH
CVSS:8.4(High)

ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current u...

CWE-5022025

CVE-2021-39150

HIGH
CVSS:8.5(High)

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to request data from internal resources that are not publicl...

CWE-5022021

CVE-2021-39152

HIGH
CVSS:8.5(High)

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to request data from internal resources that are not publicl...

CWE-5022021

CVE-2022-41137

HIGH
CVSS:8.3(High)

Apache Hive Metastore (HMS) uses SerializationUtilities#deserializeObjectWithTypeInformation method when filtering and fetching partitions that is unsafe and can lead to Remote Code Execution (RCE) si...

CWE-5022022