High severityNVD Advisory· Published Aug 8, 2025· Updated Nov 4, 2025

Apache Seata (incubating): Deserialization of untrusted Data in Apache Seata Server

CVE-2025-53606

Description

Deserialization of Untrusted Data vulnerability in Apache Seata (incubating).

This issue affects Apache Seata (incubating): 2.4.0.

Users are recommended to upgrade to version 2.5.0, which fixes the issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Deserialization of untrusted data in Apache Seata 2.4.0 allows remote code execution; upgrade to 2.5.0.

Vulnerability

CVE-2025-53606 is a deserialization of untrusted data vulnerability in Apache Seata (incubating) versions 2.4.0. The root cause is a missing class name whitelist check during Fury deserialization, as identified in fix commit [#7498][3]. This allows an attacker to supply malicious serialized data that, when deserialized by the Seata server, can lead to arbitrary code execution.

Exploitation

Exploitation requires the attacker to send crafted serialized objects to the Seata server, which processes them without proper validation. The vulnerability is in the Fury serializer used for inter-service communication. No authentication is needed if the server exposes deserialization endpoints to untrusted networks, though typical deployments may limit network access. The attack complexity is low, as the fix directly enhances the whitelist mechanism.

Impact

Successful exploitation can allow an attacker to execute arbitrary code on the Seata server, potentially compromising the entire distributed transaction system. This includes data theft, service disruption, or lateral movement within the microservices environment. The CVSS score has not yet been assigned by NVD [1], but the Apache security team rates it as low severity [4], though impact could be higher in accessible configurations.

Mitigation

Users are strongly recommended to upgrade to Apache Seata version 2.5.0, which includes the fix for Fury deserialization whitelist checking [3]. No workarounds are documented. The vulnerability does not affect version 2.5.0 or later. Administrators should also restrict network access to the Seata server to trusted sources.

References

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.apache.seata:seata-serializer-furyMaven	>= 2.4.0, < 2.5.0	2.5.0

Affected products

Apache/Seatallm-create
Range: <=2.4.0
Apache Software Foundation/Apache Seata (incubating)v5
Range: 2.4.0

Patches

d2a18aef82c0

optimize: optimize fury deserialization (#7498)

https://github.com/apache/incubator-seataGoodBoyCoderJul 5, 2025via ghsa

commit

3 files changed · +8 −3

changes/en-us/2.x.md+2 −0 modified

@@ -31,6 +31,7 @@ Add changes here for all PR submitted to the 2.x branch.
 - [[#7356](https://github.com/apache/incubator-seata/pull/7356)] fix codecov bug
 - [[#7370](https://github.com/apache/incubator-seata/pull/7370)] fix ISSUE_TEMPLATE not work
 - [[#7397](https://github.com/apache/incubator-seata/pull/7397)] Resolve NullPointer and port binding errors
+- [[#7498](https://github.com/apache/incubator-seata/pull/7498)] fix the class name whitelist check issue in fury deserialization
 
 
 ### optimize:
@@ -138,6 +139,7 @@ Thanks to these contributors for their code commits. Please report an unintended
 - [jsbxyyx](https://github.com/jsbxyyx)
 - [simzyoo](https://github.com/simzyoo)
 - [Dltmd202](https://github.com/Dltmd202)
+- [GoodBoyCoder](https://github.com/GoodBoyCoder)

changes/zh-cn/2.x.md+2 −0 modified

@@ -30,6 +30,7 @@
 - [[#7356](https://github.com/apache/incubator-seata/pull/7356)] 修复 codecov 错误
 - [[#7370](https://github.com/apache/incubator-seata/pull/7370)] 修复 ISSUE_TEMPLATE 不可用
 - [[#7397](https://github.com/apache/incubator-seata/pull/7397)] 解决空指针和端口绑定错误
+- [[#7498](https://github.com/apache/incubator-seata/pull/7498)] 修复fury反序列化的类名白名单检查问题
 
 
 ### optimize:
@@ -138,6 +139,7 @@
 - [YvCeung](https://github.com/YvCeung)
 - [jsbxyyx](https://github.com/jsbxyyx)
 - [simzyoo](https://github.com/simzyoo)
+- [GoodBoyCoder](https://github.com/GoodBoyCoder)
 
 
 同时，我们收到了社区反馈的很多有价值的issue和建议，非常感谢大家。

serializer/seata-serializer-fury/src/main/java/org/apache/seata/serializer/fury/FurySerializerFactory.java+4 −3 modified

@@ -21,6 +21,7 @@
 import org.apache.fury.ThreadSafeFury;
 import org.apache.fury.config.CompatibleMode;
 import org.apache.fury.config.Language;
+import org.apache.fury.resolver.AllowListChecker;
 import org.apache.seata.core.serializer.SerializerSecurityRegistry;
 
 public class FurySerializerFactory {
@@ -41,9 +42,9 @@ public class FurySerializerFactory {
                 .build();
 
         // register allow class
-        f.getClassResolver()
-                .setClassChecker((classResolver, className) ->
-                        SerializerSecurityRegistry.getAllowClassPattern().contains(className));
+        AllowListChecker checker = new AllowListChecker(AllowListChecker.CheckLevel.STRICT);
+        f.getClassResolver().setClassChecker(checker);
+        checker.allowClasses(SerializerSecurityRegistry.getAllowClassPattern());
         return f;
     });

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-g358-g2pq-c46jghsaADVISORY
lists.apache.org/thread/ggfd72vvvxjozs81zbcls45zxg64pphxghsavendor-advisoryWEB
nvd.nist.gov/vuln/detail/CVE-2025-53606ghsaADVISORY
www.openwall.com/lists/oss-security/2025/08/07/1ghsaWEB
github.com/apache/incubator-seata/commit/d2a18aef82c08535e4134642070c39d98654f0f6ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000