PT-2025-53845 · Dromara · Sa-Token

Yohane-Mashiro

Published

2025-12-30

Updated

2025-12-30

CVE-2025-15222

CVSS v3.1

5.0

Medium

Vector

AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

Name of the Vulnerable Software and Affected Versions Dromara Sa-Token versions prior to 1.45.0

Description A flaw exists in Dromara Sa-Token up to version 1.44.0 related to deserialization. The issue is located in the ObjectInputStream.readObject function within the SaSerializerTemplateForJdkUseBase64.java file. This allows for remote manipulation with high complexity and difficult exploitability. The exploit has been publicly disclosed. The vendor was informed but did not respond.

Recommendations Update Dromara Sa-Token to version 1.45.0 or later. As a temporary workaround, consider restricting access to the SaSerializerTemplateForJdkUseBase64.java file.

Exploit

Fix

Deserialization of Untrusted Data

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-502CWE-20

Related Identifiers

CVE-2025-15222

Affected Products

Sa-Token

PT-2025-53845 · Dromara · Sa-Token

CVE-2025-15222

Weakness Enumeration

Related Identifiers

Affected Products

References · 8