Vulnerability Description
Deserialization of Untrusted Data vulnerability in Apache Seata (incubating). This security vulnerability is the same as CVE-2024-47552, but the version range described in the CVE-2024-47552 definition is too narrow. This issue affects Apache Seata (incubating): from 2.0.0 before 2.3.0. Severity Justification: The Apache Seata security team assesses the severity of this vulnerability as "Low" due to stringent real-world mitigating factors. First, the vulnerability is strictly isolated to the Raft cluster mode, an optional and non-default feature introduced in v2.0.0, while most users rely on the unaffected traditional architecture. Second, Seata is an internal middleware; communication between TC and RM/TM occurs entirely within trusted internal networks. An attacker would require prior, unauthorized access to the Intranet to exploit this, making external exploitation highly improbable. Users are recommended to upgrade to version 2.3.0, which fixes the issue.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Seata | >= 2.0.0, < 2.3.0 |
Related Weaknesses (CWE)
References
- https://github.com/apache/incubator-seata/commit/20cd9625d23f99b71fefc83b8db96c1
- https://lists.apache.org/thread/9fhtf7yvpjpzlwd1m0wfgg6tp2btxpy1Mailing ListVendor Advisory
- https://www.cve.org/CVERecord?id=CVE-2024-47552Third Party Advisory
FAQ
What is CVE-2025-32897?
CVE-2025-32897 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Deserialization of Untrusted Data vulnerability in Apache Seata (incubating). This security vulnerability is the same as CVE-2024-47552, but the version range described in the CVE-2024-47552 definiti...
How severe is CVE-2025-32897?
CVE-2025-32897 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2025-32897?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Seata.