CVE-2025-66214
HIGHLadybug < 3.0-20251107.114628 - Remote Code Execution via XML Deserialization
Title source: llmDescription
Ladybug adds message-based debugging, unit, system, and regression testing to Java applications. Versions prior to 3.0-20251107.114628 contain the APIs /iaf/ladybug/api/report/{storage} and /iaf/ladybug/api/report/upload, which allow uploading gzip-compressed XML files with user-controllable content. The system deserializes these XML files, enabling attackers to achieve Remote Code Execution (RCE) by submitting carefully crafted XML payloads and thereby gain access to the target server. This issue is fixed in version 3.0-20251107.114628.
References (1)
Core 1
Core References
Exploit, Vendor Advisory x_refsource_confirm
https://github.com/wearefrank/ladybug/security/advisories/GHSA-f9fh-r3cv-398f
Scores
CVSS v3
7.0
EPSS
0.0027
EPSS Percentile
18.5%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-502
Status
published
Products (1)
wearefrank/ladybug
< 3.0-20251107.114628
Published
Dec 09, 2025
Tracked Since
Feb 18, 2026