CVE-2025-15222

5.0 MEDIUM

Remote Code Execution Deserialization

📋 TL;DR

This vulnerability in Dromara Sa-Token allows remote attackers to execute arbitrary code through insecure deserialization in the SaSerializerTemplateForJdkUseBase64.java component. It affects all systems running Sa-Token up to version 1.44.0 that use the vulnerable serializer. The attack requires specific conditions but can lead to complete system compromise.

💻 Affected Systems

Products:

• Dromara Sa-Token

Versions: Up to and including 1.44.0

Operating Systems: All platforms running Java

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems using the vulnerable SaSerializerTemplateForJdkUseBase64 serializer. Other serializers may not be affected.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

1. Review the CVE details at NVD
2. Check vendor security advisories for your specific version
3. Test if the vulnerability is exploitable in your environment
4. Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to full system compromise, data theft, and lateral movement within the network.

🟠

Likely Case

Denial of service or limited code execution depending on attacker skill and system configuration.

🟢

If Mitigated

Attack fails due to input validation, network segmentation, or lack of required dependencies.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: HIGH

Exploit requires specific conditions and knowledge of the target system. Public PoC exists but requires adaptation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: Not available

Restart Required: Yes

Instructions:

1. Monitor Dromara Sa-Token GitHub for security updates. 2. Consider migrating to alternative authentication libraries if no patch is forthcoming. 3. Apply workarounds immediately.

🔧 Temporary Workarounds

Replace vulnerable serializer

all

Replace SaSerializerTemplateForJdkUseBase64 with a secure serializer implementation

Copy

Modify Sa-Token configuration to use a different serializer class

Input validation filter

all

Implement strict input validation for all deserialization endpoints

Copy

Add input validation filters before ObjectInputStream.readObject calls

🧯 If You Can't Patch

• Implement network segmentation to isolate vulnerable systems
• Deploy WAF rules to block suspicious deserialization patterns

🔍 How to Verify

Check if Vulnerable:

Copy

Check if Sa-Token version is ≤1.44.0 and if SaSerializerTemplateForJdkUseBase64 is in use

Check Version:

Copy

Check pom.xml or build.gradle for sa-token dependency version

Verify Fix Applied:

Copy

Verify serializer has been replaced and test with known exploit payloads

📡 Detection & Monitoring

Log Indicators:

• Java deserialization errors
• Unexpected ClassNotFoundException
• Suspicious ObjectInputStream usage

Network Indicators:

• Base64 encoded serialized objects in HTTP requests
• Unusual outbound connections after deserialization

SIEM Query:

Copy

source="application.log" AND "ObjectInputStream" AND "readObject" AND error

📊 Metadata

CVE ID: CVE-2025-15222

CVSS v3 Score: 5.0 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-20

EPSS Score: 0.05% exploit probability (16th percentile)

Published: December 30, 2025

Last Updated: December 31, 2025

🔗 References

• https://github.com/Yohane-Mashiro/satoken-deserialization
• https://vuldb.com/?ctiid.338607
• https://vuldb.com/?id.338607
• https://vuldb.com/?submit.717703

📤 Share & Export

Twitter LinkedIn Reddit Copy Link

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-15222, you might also want to check these:

CVE-2022-47190 10.0

CVE-2022-47190 allows remote attackers to upload malicious firmware containing a webshell to Generex...

Same vulnerability type (CWE-20)

CVE-2020-12388 10.0

This vulnerability allows attackers to escape Firefox's content process sandbox on Windows systems, ...

Same vulnerability type (CWE-20)

CVE-2024-3400 10.0

CVE-2024-3400 is a critical command injection vulnerability in Palo Alto Networks PAN-OS GlobalProte...

Same vulnerability type (CWE-20)