Apache Causeway security advisories
Security information for Apache Causeway
Reporting
Do you want disclose a potential security issue for Apache Causeway? Send your report to the Apache Security Team.
Advisories
This section is experimental: it provides advisories since 2023 and may lag behind the official CVE publications. If you have any feedback on how you would like this data to be provided, you are welcome to reach out on our public mailinglist or privately on security@apache.org
Java deserialization vulnerability to authenticated attackers
CVE-2025-64408 [CVE] [CVE json] [OSV json]
Last updated: 2025-11-19T10:32:04.142Z
Affected
- Apache Causeway from 2.0.0 through 3.4.0
- Apache Causeway at 4.0.0-M1
Description
Apache Causeway faces Java deserialization vulnerabilities that allow remote code execution (RCE) through user-controllable URL parameters. These vulnerabilities affect all applications using Causeway's ViewModel functionality and can be exploited by authenticated attackers to execute arbitrary code with application privileges.
This issue affects all current versions.
Users are recommended to upgrade to version 3.5.0, which fixes the issue.
References
Credits
- Slain Nico (reporter)