CVE-2025-49455

| EUVD-2025-17673 CRITICAL
2025-06-10 [email protected]
9.8
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 14, 2026 - 19:49 vuln.today
EUVD ID Assigned
Mar 14, 2026 - 19:49 euvd
EUVD-2025-17673
CVE Published
Jun 10, 2025 - 13:15 nvd
CRITICAL 9.8

Tags

Deserialization

Description

Deserialization of Untrusted Data vulnerability in LoftOcean TinySalt allows Object Injection.This issue affects TinySalt: from n/a before 3.10.0.

Analysis

Critical deserialization of untrusted data vulnerability in LoftOcean TinySalt that enables object injection attacks. This vulnerability affects TinySalt versions prior to 3.10.0 and allows unauthenticated remote attackers to achieve complete system compromise (confidentiality, integrity, and availability impact) with no user interaction required. The attack vector is network-based with low complexity, resulting in a CVSS 9.8 critical severity rating; exploitation status and POC availability cannot be confirmed from provided data, but the vulnerability's remote and unauthenticated nature suggests high real-world exploitability.

Technical Context

The vulnerability stems from CWE-502: Deserialization of Untrusted Data, a class of flaws where applications deserialize serialized objects without proper validation. TinySalt, a LoftOcean product (likely a configuration management or infrastructure automation tool based on naming convention), improperly handles serialized data in network communications or data processing pipelines. When an attacker supplies crafted serialized objects, the application deserializes them without integrity verification, allowing arbitrary object instantiation. This can lead to object injection attacks where malicious gadget chains in available libraries are leveraged to achieve remote code execution. The vulnerability affects TinySalt from an unspecified version baseline through 3.9.x, with remediation available in 3.10.0 or later.

Affected Products

Affected Product: LoftOcean TinySalt; Affected Versions: All versions before 3.10.0 (inclusive range: n/a through 3.9.x); Fixed Version: 3.10.0 and later. Specific CPE string would be: cpe:2.3:a:loftocean:tinysalt:*:*:*:*:*:*:*:* (with version constraint <3.10.0). Vendor: LoftOcean. Product: TinySalt (likely a configuration management, orchestration, or DevOps automation platform). No vendor advisory links are provided in the source data; organizations should consult LoftOcean's official security advisories, GitHub releases, or product documentation for detailed patch information.

Remediation

Immediate Actions: (1) Identify all systems running TinySalt versions prior to 3.10.0 using inventory or configuration management tools; (2) Upgrade TinySalt to version 3.10.0 or later immediately—this is a critical patch with no workarounds for the underlying deserialization flaw; (3) Apply updates in a staged manner if immediate full deployment is infeasible, prioritizing internet-facing and production systems. Workarounds: No effective technical workarounds exist for deserialization vulnerabilities without code changes. Temporary risk mitigation (not a substitute for patching): (4) Implement network-level access controls restricting TinySalt service ports to trusted sources only; (5) Enable comprehensive logging and monitoring of deserialization errors and object instantiation anomalies; (6) Isolate affected systems where patching is delayed. Post-Remediation: Verify patch deployment, review system logs for exploitation attempts, and reset credentials on patched systems as a precaution.

Priority Score

49
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +49
POC: 0

Share

CVE-2025-49455 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy