CVE-2025-66214

Ladybug adds message-based debugging, unit, system, and regression testing to Java applications. Versions prior to 3.0-20251107.114628 contain the APIs /iaf/ladybug/api/report/{storage} and /iaf/ladybug/api/report/upload, which allow uploading gzip-compressed XML files with user-controllable content. The system deserializes these XML files, enabling attackers to achieve Remote Code Execution (RCE) by submitting carefully crafted XML payloads and thereby gain access to the target server. This issue is fixed in version 3.0-20251107.114628.

CVSS v3 7.0 HIGH

7.0^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.1 / Impact : 5.3

Attack Vector LOCAL

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact LOW

Availability Impact LOW

Scope CHANGED

References

Link	Resource
https://github.com/wearefrank/ladybug/security/advisories/GHSA-f9fh-r3cv-398f	Exploit Vendor Advisory
https://github.com/wearefrank/ladybug/security/advisories/GHSA-f9fh-r3cv-398f	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:wearefrank:ladybug:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-12-09 20:15

Updated : 2025-12-17 14:32

NVD link : CVE-2025-66214

Mitre link : CVE-2025-66214

CVE.ORG link : CVE-2025-66214

JSON object : View

Products Affected

wearefrank

ladybug

CWE

CWE-502

Deserialization of Untrusted Data

{"id": "CVE-2025-66214", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.0, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.3, "exploitabilityScore": 1.1}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2025-12-09T20:15:54.600", "references": [{"url": "https://github.com/wearefrank/ladybug/security/advisories/GHSA-f9fh-r3cv-398f", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/wearefrank/ladybug/security/advisories/GHSA-f9fh-r3cv-398f", "tags": ["Exploit", "Vendor Advisory"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-502"}]}], "descriptions": [{"lang": "en", "value": "Ladybug adds message-based debugging, unit, system, and regression testing to Java applications. Versions prior to 3.0-20251107.114628 contain the APIs /iaf/ladybug/api/report/{storage} and /iaf/ladybug/api/report/upload, which allow uploading gzip-compressed XML files with user-controllable content. The system deserializes these XML files, enabling attackers to achieve Remote Code Execution (RCE) by submitting carefully crafted XML payloads and thereby gain access to the target server. This issue is fixed in version 3.0-20251107.114628."}], "lastModified": "2025-12-17T14:32:23.480", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:wearefrank:ladybug:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "15B7E045-DD65-475E-AC7F-921062B92E99", "versionEndExcluding": "3.0-20251107.114628"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}