Apache Causeway security advisories

Security information for Apache Causeway

Reporting

Do you want disclose a potential security issue for Apache Causeway? Send your report to the Apache Security Team.

Advisories

This section is experimental: it provides advisories since 2023 and may lag behind the official CVE publications. If you have any feedback on how you would like this data to be provided, you are welcome to reach out on our public mailinglist or privately on security@apache.org

Java deserialization vulnerability to authenticated attackers

CVE-2025-64408 [CVE] [CVE json] [OSV json]

Last updated: 2025-11-19T10:32:04.142Z

Affected

  • Apache Causeway from 2.0.0 through 3.4.0
  • Apache Causeway at 4.0.0-M1

Description

Apache Causeway faces Java deserialization vulnerabilities that allow remote code execution (RCE) through user-controllable URL parameters. These vulnerabilities affect all applications using Causeway's ViewModel functionality and can be exploited by authenticated attackers to execute arbitrary code with application privileges. 

This issue affects all current versions.

Users are recommended to upgrade to version 3.5.0, which fixes the issue.

References

Credits

  • Slain Nico (reporter)