What is the CVSS score of CVE-2025-49507?

CVE-2025-49507 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of LoftOcean CozyStay are affected by CVE-2025-49507?

LoftOcean CozyStay contains a critical deserialization vulnerability (CVE-2025-49507, CVSS 9.8) that permits unauthenticated remote attackers to execute arbitrary code and fully compromise affected…. A patch is available.

How to fix or mitigate CVE-2025-49507?

Within 24 hours: Identify all LoftOcean CozyStay deployments and document current version numbers; isolate any systems running versions before 1.7.1 from untrusted networks if immediate patching is not feasible. Within 7 days: Apply vendor-released patch to upgrade all affected CozyStay instances to version 1.7.1 or later; verify patch deployment across all production and non-production environments. Within 30 days: Conduct post-patch validation testing; review access logs for exploitation attempts during the interim period; verify no unauthorized code execution or data exfiltration occurred.

LoftOcean CozyStay CVE-2025-49507

EUVD-2025-17672 CRITICAL

Deserialization of Untrusted Data (CWE-502)

2025-06-10 audit@patchstack.com

Deserialization

9.8

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

9.8 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Re-analysis Queued

Apr 23, 2026 - 15:42 vuln.today

cvss_changed

Analysis Updated

Apr 16, 2026 - 05:54 EUVD-patch-fix

executive_summary

Re-analysis Queued

Apr 16, 2026 - 05:29 backfill_euvd_patch

patch_released

Patch available

Apr 16, 2026 - 05:29 EUVD

1.7.1

EUVD ID Assigned

Mar 14, 2026 - 19:49 euvd

EUVD-2025-17672

Analysis Generated

Mar 14, 2026 - 19:49 vuln.today

CVE Published

Jun 10, 2025 - 13:15 nvd

CRITICAL 9.8

DescriptionCVE.org

Deserialization of Untrusted Data vulnerability in LoftOcean CozyStay allows Object Injection.This issue affects CozyStay: from n/a before 1.7.1.

AnalysisAI

Critical deserialization of untrusted data vulnerability in LoftOcean CozyStay that enables object injection attacks. All versions before 1.7.1 are affected, allowing unauthenticated remote attackers to achieve complete system compromise (confidentiality, integrity, and availability impact) with no user interaction required. This is a network-exploitable vulnerability with CVSS 9.8 severity indicating maximum real-world risk.

Technical ContextAI

This vulnerability stems from unsafe deserialization practices (CWE-502: Deserialization of Untrusted Data) in the CozyStay accommodation management platform. The application likely deserializes user-supplied data without proper validation, enabling attackers to instantiate arbitrary objects and manipulate application state. Common attack vectors include serialized Java objects, Python pickle data, or similar serialization formats depending on the technology stack. The object injection capability allows attackers to chain gadget libraries (if present) to achieve remote code execution. CozyStay versions prior to 1.7.1 (CPE pattern: cpe:2.7:a:loftocean:cozystay:*:*:*:*:*:*:*:*) lack proper input sanitization on deserialization endpoints, likely those handling user sessions, configuration imports, or API requests.

RemediationAI

action: Immediate Patching; details: Upgrade CozyStay to version 1.7.1 or later. This release includes fixes for unsafe deserialization by implementing proper input validation and using safe deserialization libraries.
action: Network Isolation (Temporary); details: If patching cannot be applied immediately, restrict network access to CozyStay instances to trusted internal networks only. Disable external API endpoints and disable any REST/API services that accept serialized data.
action: Input Validation; details: If source code access is available, implement whitelist-based deserialization using safe alternatives: replace native serialization with JSON parsing, use ObjectInputStream with FilteringObjectInputStream (Java 9+), or implement custom deserialization logic with type checking.
action: WAF/IDS Rules; details: Deploy Web Application Firewall rules to detect serialized object patterns in HTTP requests (e.g., Java serialization magic bytes 0xaced0005, Python pickle opcodes). Monitor for suspicious deserialization activity.
action: Monitoring; details: Enable application logging for deserialization failures and unexpected object instantiation. Alert on any ClassNotFoundException or reflection-based method invocation anomalies.

CVE-2025-49507 vulnerability details – vuln.today

Back

LoftOcean CozyStay CVE-2025-49507

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code