Critical Apache Causeway RCE Flaw (CVE-2025-64408) Allows Authenticated Code Execution via Java Deserialization
Do Son 
Apache Causeway, a popular framework for rapidly developing domain-driven Java applications, has been found vulnerable to a critical Java deserialization flaw that could allow authenticated attackers to execute arbitrary code within affected applications. Tracked as CVE-2025-64408, the issue impacts multiple major versions of the framework and is considered a critical-severity remote code execution (RCE) risk.
The vulnerability affects all applications built with the following Apache Causeway versions:
- 2.0.0 → 3.4.0
- 4.0.0-M1
According to the advisory, the flaw impacts all implementations using Causeway’s ViewModel functionality, a core feature responsible for exposing domain logic through dynamically generated web interfaces and REST APIs.
At the center of CVE-2025-64408 is a Java deserialization vulnerability reachable via user-controlled URL parameters. In affected configurations, authenticated users can manipulate serialized data embedded within application URLs.
Because Java deserialization can reconstruct entire object graphs—including objects whose constructors or methods execute code—the attacker can supply malicious payloads that trigger remote code execution with the privileges of the application process.
The Apache Causeway team has released version 3.5.0, which fully addresses the vulnerability.
Related Posts:
- Oracle decided to extend Free Support Lifetime of Java 8
- Ivanti Connect Secure, Policy Secure and Secure Access Client Affected by Critical Vulnerabilities
- Developer Ecosystem in 2018 Report: Java is the most popular primary programming languages
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
