CVE-2025-15246

Vulnerability

Overview

CVE-2025-15246 is a deserialization vulnerability affecting aizuda snail-job, a distributed task retry and scheduling platform, up to version 1.7.0 on macOS. The flaw resides in the FurySerializer.deserialize function within the API component, where manipulation of the argsStr argument leads to unsafe deserialization of untrusted data. This vulnerability has been publicly disclosed, increasing the risk of exploitation [2].

Exploitation

An attacker can exploit this remotely, without requiring prior authentication, by crafting a malicious serialized payload and passing it as the argsStr parameter to the deserialization endpoint. The attack vector is over the network, and no special privileges are prerequisites beyond network access to the vulnerable API [2].

Impact

Successful deserialization allows an attacker to execute arbitrary code on the snail-job server, potentially leading to full compromise of the application and underlying system. Given that snail-job handles distributed tasks and job scheduling, an attacker could disrupt operations, exfiltrate sensitive data, or pivot to other systems [2].

Mitigation

As of the publication date (2025-12-30), no patch is available in the described version (1.7.0). Users are advised to monitor the official repository [1] for updates. In the interim, restricting network access to the API and input validation may reduce risk, although upgrading to a patched version is the only permanent fix.