CVE-2025-15222

MEDIUM

Dromara Sa-Token <1.44.0 - Deserialization

Title source: llm

Description

A vulnerability has been found in Dromara Sa-Token up to 1.44.0. This issue affects the function ObjectInputStream.readObject of the file SaSerializerTemplateForJdkUseBase64.java. Such manipulation leads to deserialization. The attack can be executed remotely. This attack is characterized by high complexity. The exploitability is assessed as difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

References (4)

[Various Sources] https://github.com/Yohane-Mashiro/satoken-deserialization

[Permissions Required, VDB Entry] https://vuldb.com/?ctiid.338607

[Permissions Required, VDB Entry] https://vuldb.com/?id.338607

[Permissions Required, VDB Entry] https://vuldb.com/?submit.717703

Scores

CVSS v3 5.0

EPSS 0.0006

EPSS Percentile 18.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

Classification

CWE

CWE-502 CWE-20

Status draft

Timeline

Published Dec 30, 2025

Tracked Since Feb 18, 2026