CVE-2025-66214HIGH 8.8EPSS p18.5%

CVE-2025-66214CVE-2025-66214

Description

Ladybug adds message-based debugging, unit, system, and regression testing to Java applications. Versions prior to 3.0-20251107.114628 contain the APIs /iaf/ladybug/api/report/{storage} and /iaf/ladybug/api/report/upload, which allow uploading gzip-compressed XML files with user-controllable content. The system deserializes these XML files, enabling attackers to achieve Remote Code Execution (RCE) by submitting carefully crafted XML payloads and thereby gain access to the target server. This issue is fixed in version 3.0-20251107.114628.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS0.27% probability of exploitation · percentile 18.5% · 2026-06-18T12:00:27Z
Published2025-12-09
Last modified2025-12-17

Underlying weaknesses· 1

CWE-502

References

  1. https://github.com/wearefrank/ladybug/security/advisories/GHSA-f9fh-r3cv-398f
  2. https://github.com/wearefrank/ladybug/security/advisories/GHSA-f9fh-r3cv-398f

1

TypeTargetConfidenceTier
WeaknessDeserialization of Untrusted Datacwe-5020%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-47154
CVE
CVE-2025-26014
CVE
CVE-2026-36765
CVE
CVE-2025-10492
CVE
CVE-2025-30023
CVE
CVE-2025-60036
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.