{"id":"CVE-2025-32897","details":"Deserialization of Untrusted Data vulnerability in Apache Seata (incubating).\n\nThis security vulnerability is the same as CVE-2024-47552, but the version range described in the CVE-2024-47552 definition is too narrow.\nThis issue affects Apache Seata (incubating): from 2.0.0 before 2.3.0.\n\nUsers are recommended to upgrade to version 2.3.0, which fixes the issue.","aliases":["GHSA-m964-fjrh-xxq2"],"modified":"2026-04-12T15:15:02.080993Z","published":"2025-06-28T19:15:21.917Z","references":[{"type":"ADVISORY","url":"https://lists.apache.org/thread/9fhtf7yvpjpzlwd1m0wfgg6tp2btxpy1"},{"type":"ADVISORY","url":"https://www.cve.org/CVERecord?id=CVE-2024-47552"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/incubator-seata","events":[{"introduced":"f43e2a9268992b161f38c4d6eccc77646cc39ff4"},{"fixed":"0ad2847465fa877a2c65ea84ed43f5b0984c3ce9"}],"database_specific":{"versions":[{"introduced":"2.0.0"},{"fixed":"2.3.0"}]}}],"database_specific":{"vanir_signatures_modified":"2026-04-12T15:15:02Z","vanir_signatures":[{"signature_type":"Function","digest":{"length":781,"function_hash":"240067990988798984774333426527542216993"},"deprecated":false,"signature_version":"v1","source":"https://github.com/apache/incubator-seata/commit/0ad2847465fa877a2c65ea84ed43f5b0984c3ce9","target":{"file":"compatible/src/test/java/io/seata/tm/api/DefaultFailureHandlerImplTest.java","function":"onRollbackFailure"},"id":"CVE-2025-32897-07302aff"},{"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["214371701131224498867116484830138557703","103326891935392308817415952443352830416","29836720890721288277864917060910770819","186845443821405445959121861006761966953","217365845043367773184233231979282871872","82114271901885231626273463470417740184","146361738576118732171276518781402474454","310510940811645211455589781085390188165","263244397258121676730293097289174157752","29439393588654488175608979012935492705","102413946797138234201662137666013873019","260497709188647182438199528598918129591","215173368832176471242132037284754458404","175215250857535432569302346962253013528","62986732600527447919352984799946447514","118997166559430201205377471925113345461","322471347800547440191851543434567799974","122680355191551761480435053745164815374","276339125260561915457282481194820802964","140547074940766806655608472131492699319","174350547264623027348106163151060642331","137923086386680235195368373485846998567","272888749388520485511006835967757413987","118997166559430201205377471925113345461","321094720905825230590926674286971477305","60588315817936963341787888240580836278","218198032645929880224463458707450260537","15319099719913058711416722187492345748","317550517784042902280322593981889560653","89368058117736478701828344361097650381","27308704412086359555145297805837498242","301319239267573754008104887185413256567","222450974535972369463885271580295867730","244121519962982378680254867060810488396","95632042134146977834463884110560855540","230550138545905725533269700658427621704","248614934668312562197066148392379201343","206041177008454488933624853012107108510","144720166662055302258879218510818532341","94660915357466434881163650744661959389","241873659775370499306438596218264438967","48056173169660791785897840437312774305","118997166559430201205377471925113345461","78501750082687453791018867956359540867","134980027055803332390119242149718454755","262683033407838943273187555829451481280","295546450488981567970016300238048336620","317550517784042902280322593981889560653","89368058117736478701828344361097650381","27308704412086359555145297805837498242","92631555481375945709892771140716687871","299377563284640409359971873919771245737","71071283592129147174369364284906572370","150819172612671075925115838154738652001","230550138545905725533269700658427621704","248614934668312562197066148392379201343","283055200384401393662846797855649751488"]},"deprecated":false,"signature_version":"v1","source":"https://github.com/apache/incubator-seata/commit/0ad2847465fa877a2c65ea84ed43f5b0984c3ce9","target":{"file":"compatible/src/test/java/io/seata/tm/api/DefaultFailureHandlerImplTest.java"},"id":"CVE-2025-32897-286a2cfe"},{"signature_type":"Function","digest":{"length":301,"function_hash":"202134273638937640523091858698907516464"},"deprecated":false,"signature_version":"v1","source":"https://github.com/apache/incubator-seata/commit/0ad2847465fa877a2c65ea84ed43f5b0984c3ce9","target":{"file":"tm/src/test/java/org/apache/seata/tm/api/DefaultFailureHandlerImplTest.java","function":"onBeginFailure"},"id":"CVE-2025-32897-4bf21141"},{"signature_type":"Function","digest":{"length":763,"function_hash":"11443722429053205124381077063215277104"},"deprecated":false,"signature_version":"v1","source":"https://github.com/apache/incubator-seata/commit/0ad2847465fa877a2c65ea84ed43f5b0984c3ce9","target":{"file":"tm/src/test/java/org/apache/seata/tm/api/DefaultFailureHandlerImplTest.java","function":"onCommitFailure"},"id":"CVE-2025-32897-6de3dd52"},{"signature_type":"Function","digest":{"length":764,"function_hash":"40891575550624031541142231537032272934"},"deprecated":false,"signature_version":"v1","source":"https://github.com/apache/incubator-seata/commit/0ad2847465fa877a2c65ea84ed43f5b0984c3ce9","target":{"file":"tm/src/test/java/org/apache/seata/tm/api/DefaultFailureHandlerImplTest.java","function":"onRollbackFailure"},"id":"CVE-2025-32897-7461265b"},{"signature_type":"Function","digest":{"length":326,"function_hash":"69413645204021743567426950099396618754"},"deprecated":false,"signature_version":"v1","source":"https://github.com/apache/incubator-seata/commit/0ad2847465fa877a2c65ea84ed43f5b0984c3ce9","target":{"file":"compatible/src/test/java/io/seata/tm/api/DefaultFailureHandlerImplTest.java","function":"onBeginFailure"},"id":"CVE-2025-32897-884fdb5b"},{"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["215173368832176471242132037284754458404","305032704825348911215330062759723646232","163618769591464039381844358586532737951","107328969793023525655820777135945710337","317339715957054479303503280999366021643","307212327460262980954635851408249695992","276339125260561915457282481194820802964","140547074940766806655608472131492699319","174350547264623027348106163151060642331","10162338892946920728949814435737932849","334349791224166347928686719021351369262","107328969793023525655820777135945710337","300634779041623689618478763233866348006","50459287837539536243048118737281602061","233375589630845857206844704940219804078","161081529563893060517148914601534780865","197491897922221397590990071679749577085","89368058117736478701828344361097650381","27308704412086359555145297805837498242","301319239267573754008104887185413256567","222450974535972369463885271580295867730","244121519962982378680254867060810488396","95632042134146977834463884110560855540","230550138545905725533269700658427621704","248614934668312562197066148392379201343","206041177008454488933624853012107108510","144720166662055302258879218510818532341","94660915357466434881163650744661959389","219072849152372509987863076951385938844","329874858319699511374374840452843668006","107328969793023525655820777135945710337","84771242885442855081822921050681634259","151147112222226890928071623970661688574","215535698506305437485139376121484603910","14694940081743184738712572913449797815","197491897922221397590990071679749577085","89368058117736478701828344361097650381","27308704412086359555145297805837498242","92631555481375945709892771140716687871","299377563284640409359971873919771245737","71071283592129147174369364284906572370","150819172612671075925115838154738652001","230550138545905725533269700658427621704","248614934668312562197066148392379201343","283055200384401393662846797855649751488"]},"deprecated":false,"signature_version":"v1","source":"https://github.com/apache/incubator-seata/commit/0ad2847465fa877a2c65ea84ed43f5b0984c3ce9","target":{"file":"tm/src/test/java/org/apache/seata/tm/api/DefaultFailureHandlerImplTest.java"},"id":"CVE-2025-32897-907b506b"},{"signature_type":"Function","digest":{"length":780,"function_hash":"85391567855351372668753100169001057514"},"deprecated":false,"signature_version":"v1","source":"https://github.com/apache/incubator-seata/commit/0ad2847465fa877a2c65ea84ed43f5b0984c3ce9","target":{"file":"compatible/src/test/java/io/seata/tm/api/DefaultFailureHandlerImplTest.java","function":"onCommitFailure"},"id":"CVE-2025-32897-abc1a04f"}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-32897.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}