Deserialization Vulnerability in Dromara Sa-Token by Dromara
CVE-2025-15117

2.3LOW

Key Information:

Vendor

Dromara

Status
Sa-token
Vendor
CVE Published:
28 December 2025

What is CVE-2025-15117?

A vulnerability in Dromara Sa-Token up to version 1.44.0 involves a weakness in the ObjectInputStream.readObject function within SaJdkSerializer.java. This flaw can be exploited remotely through crafted input leading to unauthorized deserialization, posing security risks for applications utilizing this library. The complexity of exploitation is notably high, and initial attempts to contact the vendor for a remediation response went unanswered.

Affected Version(s)

Sa-Token 1.0

Sa-Token 1.1

Sa-Token 1.2

References

https://vuldb.com/?id.338495
vdb-entrytechnical-description
https://vuldb.com/?ctiid.338495
signaturepermissions-required
https://vuldb.com/?submit.711750
third-party-advisory

CVSS V4

Score:
2.3
Severity:
LOW
Confidentiality:
None
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.