CVE-2025-2251

MEDIUM

WildFly/JBoss EAP - RCE

Title source: llm

Description

A security flaw exists in WildFly and JBoss Enterprise Application Platform (EAP) within the Enterprise JavaBeans (EJB) remote invocation mechanism. This vulnerability stems from untrusted data deserialization handled by JBoss Marshalling. This flaw allows an attacker to send a specially crafted serialized object, leading to remote code execution without requiring authentication.

References (9)

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2025:10452

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2025:10453

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2025:10459

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2025:10924

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2025:10925

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2025:10926

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2025:10931

[Vendor Advisory] https://access.redhat.com/security/cve/CVE-2025-2251

[Issue Tracking] https://bugzilla.redhat.com/show_bug.cgi?id=2351678

Scores

CVSS v3 6.2

EPSS 0.0384

EPSS Percentile 88.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:H/A:H

Classification

CWE

CWE-502

Status draft

Timeline

Published Apr 07, 2025

Tracked Since Feb 18, 2026