Skip to content

Apache Seata Vulnerable to Deserialization of Untrusted Data

Low severity GitHub Reviewed Published Jun 28, 2025 to the GitHub Advisory Database • Updated Mar 30, 2026

Package

maven org.apache.seata:seata-config-core (Maven)

Affected versions

>= 2.0.0, < 2.3.0

Patched versions

2.3.0

Description

Deserialization of Untrusted Data vulnerability in Apache Seata (incubating).

This security vulnerability is the same as CVE-2024-47552, but the version range described in the CVE-2024-47552 definition is too narrow.
This issue affects Apache Seata (incubating): from 2.0.0 before 2.3.0.

The Apache Seata security team assesses the severity of this vulnerability as "Low" due to stringent real-world mitigating factors. First, the vulnerability is strictly isolated to the Raft cluster mode, an optional and non-default feature introduced in v2.0.0, while most users rely on the unaffected traditional architecture. Second, Seata is an internal middleware; communication between TC and RM/TM occurs entirely within trusted internal networks. An attacker would require prior, unauthorized access to the Intranet to exploit this, making external exploitation highly improbable.

Users are recommended to upgrade to version 2.3.0, which fixes the issue.

References

Published by the National Vulnerability Database Jun 28, 2025
Published to the GitHub Advisory Database Jun 28, 2025
Reviewed Jun 30, 2025
Last updated Mar 30, 2026

Severity

Low

EPSS score

Exploit Prediction Scoring System (EPSS)

This score estimates the probability of this vulnerability being exploited within the next 30 days. Data provided by FIRST.
(52nd percentile)

Weaknesses

Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. Learn more on MITRE.

CVE ID

CVE-2025-32897

GHSA ID

GHSA-m964-fjrh-xxq2

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.