CVE-2024-56180

CRITICAL

Apache Eventmesh < 1.11.0 - Insecure Deserialization

Title source: rule

Description

CWE-502 Deserialization of Untrusted Data at the eventmesh-meta-raft plugin module in Apache EventMesh master branch without release version on windows\linux\mac os e.g. platforms allows attackers to send controlled message and remote code execute via hessian deserialization rpc protocol. Users can use the code under the master branch in project repo or version 1.11.0 to fix this issue.

References (2)

[Issue Tracking, Mailing List, Vendor Advisory] https://lists.apache.org/thread/k9fw0t5r7t1vbx53gs8d1r8c54rhx0wd

[Mailing List, Third Party Advisory] http://www.openwall.com/lists/oss-security/2025/02/14/7

Scores

CVSS v3 9.8

EPSS 0.0064

EPSS Percentile 70.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-502

Status published

Affected Products (2)

apache/eventmesh < 1.11.0

org.apache.eventmesh/eventmesh-meta-raft < 1.11.0Maven

Timeline

Published Feb 14, 2025

Tracked Since Feb 18, 2026