Vulnerability Description
Deserialization of Untrusted Data vulnerability in Apache Seata (incubating). This issue affects Apache Seata (incubating): from 2.0.0 before 2.2.0. Severity Justification: The Apache Seata security team assesses the severity of this vulnerability as "Low" due to stringent real-world mitigating factors. First, the vulnerability is strictly isolated to the Raft cluster mode, an optional and non-default feature introduced in v2.0.0, while most users rely on the unaffected traditional architecture. Second, Seata is an internal middleware; communication between TC and RM/TM occurs entirely within trusted internal networks. An attacker would require prior, unauthorized access to the Intranet to exploit this, making external exploitation highly improbable. Users are recommended to upgrade to version 2.2.0, which fixes the issue.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Seata | >= 2.0.0, < 2.2.0 |
Related Weaknesses (CWE)
References
- https://github.com/apache/incubator-seata/commit/20cd9625d23f99b71fefc83b8db96c1
- https://lists.apache.org/thread/652o82vzk9qrtgksk55cfgpbvdgtkch0Mailing ListVendor Advisory
- http://www.openwall.com/lists/oss-security/2025/03/19/5Mailing ListThird Party Advisory
FAQ
What is CVE-2024-47552?
CVE-2024-47552 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Deserialization of Untrusted Data vulnerability in Apache Seata (incubating). This issue affects Apache Seata (incubating): from 2.0.0 before 2.2.0. Severity Justification: The Apache Seata...
How severe is CVE-2024-47552?
CVE-2024-47552 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2024-47552?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Seata.