CVE-2025-15117
📋 TL;DR
This vulnerability in Dromara Sa-Token allows remote attackers to execute arbitrary code through insecure deserialization in the SaJdkSerializer component. It affects all systems running Sa-Token up to version 1.44.0 where the vulnerable serializer is used. The attack requires specific conditions but could lead to complete system compromise.
💻 Affected Systems
- Dromara Sa-Token
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to full system compromise, data theft, or ransomware deployment
Likely Case
Limited impact due to high exploit complexity, potentially causing service disruption or data manipulation
If Mitigated
Minimal impact if proper input validation and deserialization controls are implemented
🎯 Exploit Status
Exploit requires specific deserialization conditions and payload construction
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: None available
Restart Required: Yes
Instructions:
1. Monitor vendor channels for updates 2. Upgrade to patched version when available 3. Restart affected services
🔧 Temporary Workarounds
Replace SaJdkSerializer
allReplace the vulnerable SaJdkSerializer with a secure serializer like JSON or custom implementation
Modify SaTokenConfig to use a different serializer
Input Validation Filter
allImplement strict input validation and filtering for deserialization endpoints
Add request filtering for serialized data inputs
🧯 If You Can't Patch
- Implement network segmentation to isolate vulnerable systems
- Deploy web application firewall with deserialization attack rules
🔍 How to Verify
Check if Vulnerable:
Check Sa-Token version in pom.xml or build configurationCheck Version:
grep -i 'sa-token' pom.xml || find . -name '*.jar' | xargs -I {} sh -c 'unzip -l {} 2>/dev/null | grep -i sa-token'Verify Fix Applied:
Verify SaJdkSerializer is not in use or has been replaced📡 Detection & Monitoring
Log Indicators:
- Unusual Java deserialization errors
- Unexpected ObjectInputStream usage
- ClassNotFoundException for unexpected classes
Network Indicators:
- Unusual base64 encoded payloads in requests
- Requests to deserialization endpoints with serialized objects
SIEM Query:
source="application.logs" AND ("ObjectInputStream" OR "readObject" OR "Serialization") AND status="ERROR"