NutzBoot 2.6.0-SNAPSHOT LiteRpc Deserialization via HttpServletEndpoint
CVE-2025-13805 Published on December 1, 2025
nutzam NutzBoot LiteRpc-Serializer HttpServletRpcEndpoint.java getInputStream deserialization
A weakness has been identified in nutzam NutzBoot up to 2.6.0-SNAPSHOT. This affects the function getInputStream of the file nutzcloud/nutzcloud-literpc/src/main/java/org/nutz/boot/starter/literpc/impl/endpoint/http/HttpServletRpcEndpoint.java of the component LiteRpc-Serializer. Executing a manipulation can lead to deserialization. The attack may be launched remotely. This attack is characterized by high complexity. The exploitability is reported as difficult. The exploit has been made available to the public and could be used for attacks.
Timeline
Advisory disclosed
VulDB entry created
VulDB entry last update 2 days later.
Weakness Types
What is a Marshaling, Unmarshaling Vulnerability?
The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.
CVE-2025-13805 has been classified to as a Marshaling, Unmarshaling vulnerability or weakness.
Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Products Associated with CVE-2025-13805
Want to know whenever a new CVE is published for Nutzam Nutzboot? stack.watch will email you.
Affected Versions
nutzam NutzBoot Version 2.6.0-SNAPSHOT is affected by CVE-2025-13805Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.