Apache Causeway ViewModel RCE via Java Deserialization (fixed 3.5.0)
CVE-2025-64408 Published on November 19, 2025
Apache Causeway: Java deserialization vulnerability to authenticated attackers
Apache Causeway faces Java deserialization vulnerabilities that allow remote code execution (RCE) through user-controllable URL parameters. These vulnerabilities affect all applications using Causeway's ViewModel functionality and can be exploited by authenticated attackers to execute arbitrary code with application privileges.
This issue affects all current versions.
Users are recommended to upgrade to version 3.5.0, which fixes the issue.
Vulnerability Analysis
CVE-2025-64408 is exploitable with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be low. considered to have a small impact on confidentiality and integrity and availability.
Weakness Type
What is a Marshaling, Unmarshaling Vulnerability?
The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.
CVE-2025-64408 has been classified to as a Marshaling, Unmarshaling vulnerability or weakness.
Affected Versions
Apache Software Foundation Apache Causeway:- Version 2.0.0, <= 3.4.0 is affected.
- Version 4.0.0-M1 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.