What is the CVSS score of CVE-2025-53393?

CVE-2025-53393 has a CVSS 3.1 base score of 6.0 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L. EPSS exploitation probability: 0.1%.

Which versions of Java are affected by CVE-2025-53393?

Organizations using Akka should be aware of moderate risk from CVE-2025-53393, a insecure deserialization vulnerability rated CVSS 6.0.. A patch is available.

How to fix or mitigate CVE-2025-53393?

Within 30 days: Identify affected systems running Akka and apply vendor patches as part of regular patch cycle. Monitor vendor channels for patch availability.

Java CVE-2025-53393

EUVD-2025-19463 MEDIUM

Deserialization of Untrusted Data (CWE-502)

2025-06-28 cve@mitre.org

GHSA-358m-fq53-hp87

Deserialization Java

6.0

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

6.0 MEDIUM

AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

Low

Lifecycle Timeline

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

EUVD ID Assigned

Mar 16, 2026 - 01:05 euvd

EUVD-2025-19463

Analysis Generated

Mar 16, 2026 - 01:05 vuln.today

CVE Published

Jun 28, 2025 - 23:15 nvd

MEDIUM 6.0

DescriptionCVE.org

In Akka through 2.10.6, akka-cluster-metrics uses Java serialization for cluster metrics.

Analysis

In Akka through 2.10.6, akka-cluster-metrics uses Java serialization for cluster metrics.

Technical ContextAI

Insecure deserialization occurs when untrusted data is used to reconstruct objects, allowing attackers to manipulate serialized data to execute arbitrary code. This vulnerability is classified as Deserialization of Untrusted Data (CWE-502).

RemediationAI

Avoid deserializing untrusted data. Use safe serialization formats (JSON instead of native serialization). Implement integrity checks on serialized data.

More from same product – last 7 days

CVE-2026-28575 CRITICAL Act Now

10.0 Jun 17

Local denial of service in Android's PackageInstaller subsystem stems from a logic error in PackageInstallerSession.tran

CVE-2026-55773 HIGH This Week

8.8 Jun 19

Cedar policy injection in CedarJava (com.cedarpolicy:cedar-java) versions below 2.3.6, 3.4.1, and 4.9.0 allows attackers

CVE-2026-55772 HIGH This Week

8.8 Jun 19

Type confusion in CedarJava versions prior to 2.3.6, 3.4.1, and 4.9 allows authenticated remote attackers to manipulate

CVE-2026-44795 HIGH This Week

8.5 Jun 22

Remote code execution in Spinnaker's Orca and Rosco services allows authenticated users to achieve arbitrary Java class

CVE-2026-50196 HIGH This Week

7.5 Jun 17

Denial of service in Steeltoe.Discovery.Eureka client (.NET) versions prior to 4.2.0 and 3.4.0 allows a remote Eureka re

CVE-2025-53393 vulnerability details – vuln.today

Back