EUVD-2025-17672

| CVE-2025-49507 CRITICAL
2025-06-10 [email protected]
9.8
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Mar 14, 2026 - 19:49 euvd
EUVD-2025-17672
Analysis Generated
Mar 14, 2026 - 19:49 vuln.today
CVE Published
Jun 10, 2025 - 13:15 nvd
CRITICAL 9.8

Tags

Deserialization

Description

Deserialization of Untrusted Data vulnerability in LoftOcean CozyStay allows Object Injection.This issue affects CozyStay: from n/a before 1.7.1.

Analysis

Critical deserialization of untrusted data vulnerability in LoftOcean CozyStay that enables object injection attacks. All versions before 1.7.1 are affected, allowing unauthenticated remote attackers to achieve complete system compromise (confidentiality, integrity, and availability impact) with no user interaction required. This is a network-exploitable vulnerability with CVSS 9.8 severity indicating maximum real-world risk.

Technical Context

This vulnerability stems from unsafe deserialization practices (CWE-502: Deserialization of Untrusted Data) in the CozyStay accommodation management platform. The application likely deserializes user-supplied data without proper validation, enabling attackers to instantiate arbitrary objects and manipulate application state. Common attack vectors include serialized Java objects, Python pickle data, or similar serialization formats depending on the technology stack. The object injection capability allows attackers to chain gadget libraries (if present) to achieve remote code execution. CozyStay versions prior to 1.7.1 (CPE pattern: cpe:2.7:a:loftocean:cozystay:*:*:*:*:*:*:*:*) lack proper input sanitization on deserialization endpoints, likely those handling user sessions, configuration imports, or API requests.

Affected Products

CozyStay (All versions before 1.7.1)

Remediation

- action: Immediate Patching; details: Upgrade CozyStay to version 1.7.1 or later. This release includes fixes for unsafe deserialization by implementing proper input validation and using safe deserialization libraries. - action: Network Isolation (Temporary); details: If patching cannot be applied immediately, restrict network access to CozyStay instances to trusted internal networks only. Disable external API endpoints and disable any REST/API services that accept serialized data. - action: Input Validation; details: If source code access is available, implement whitelist-based deserialization using safe alternatives: replace native serialization with JSON parsing, use ObjectInputStream with FilteringObjectInputStream (Java 9+), or implement custom deserialization logic with type checking. - action: WAF/IDS Rules; details: Deploy Web Application Firewall rules to detect serialized object patterns in HTTP requests (e.g., Java serialization magic bytes 0xaced0005, Python pickle opcodes). Monitor for suspicious deserialization activity. - action: Monitoring; details: Enable application logging for deserialization failures and unexpected object instantiation. Alert on any ClassNotFoundException or reflection-based method invocation anomalies.

Priority Score

49
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +49
POC: 0

Share

EUVD-2025-17672 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy