Skip to main content

LoftOcean TinySalt EUVD-2025-17673

| CVE-2025-49455 CRITICAL
Deserialization of Untrusted Data (CWE-502)
2025-06-10 audit@patchstack.com
Deserialization
9.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.3 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

8
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
CVSS changed
Apr 23, 2026 - 15:42 NVD
9.8 (CRITICAL) 9.3 (CRITICAL)
Analysis Updated
Apr 16, 2026 - 05:54 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
3.10.0
EUVD ID Assigned
Mar 14, 2026 - 19:49 euvd
EUVD-2025-17673
Analysis Generated
Mar 14, 2026 - 19:49 vuln.today
CVE Published
Jun 10, 2025 - 13:15 nvd
CRITICAL 9.8

DescriptionCVE.org

Deserialization of Untrusted Data vulnerability in LoftOcean TinySalt allows Object Injection.This issue affects TinySalt: from n/a before 3.10.0.

AnalysisAI

Critical deserialization of untrusted data vulnerability in LoftOcean TinySalt that enables object injection attacks. This vulnerability affects TinySalt versions prior to 3.10.0 and allows unauthenticated remote attackers to achieve complete system compromise (confidentiality, integrity, and availability impact) with no user interaction required. The attack vector is network-based with low complexity, resulting in a CVSS 9.8 critical severity rating; exploitation status and POC availability cannot be confirmed from provided data, but the vulnerability's remote and unauthenticated nature suggests high real-world exploitability.

Technical ContextAI

The vulnerability stems from CWE-502: Deserialization of Untrusted Data, a class of flaws where applications deserialize serialized objects without proper validation. TinySalt, a LoftOcean product (likely a configuration management or infrastructure automation tool based on naming convention), improperly handles serialized data in network communications or data processing pipelines. When an attacker supplies crafted serialized objects, the application deserializes them without integrity verification, allowing arbitrary object instantiation. This can lead to object injection attacks where malicious gadget chains in available libraries are leveraged to achieve remote code execution. The vulnerability affects TinySalt from an unspecified version baseline through 3.9.x, with remediation available in 3.10.0 or later.

RemediationAI

Immediate Actions: (1) Identify all systems running TinySalt versions prior to 3.10.0 using inventory or configuration management tools; (2) Upgrade TinySalt to version 3.10.0 or later immediately—this is a critical patch with no workarounds for the underlying deserialization flaw; (3) Apply updates in a staged manner if immediate full deployment is infeasible, prioritizing internet-facing and production systems. Workarounds: No effective technical workarounds exist for deserialization vulnerabilities without code changes. Temporary risk mitigation (not a substitute for patching): (4) Implement network-level access controls restricting TinySalt service ports to trusted sources only; (5) Enable comprehensive logging and monitoring of deserialization errors and object instantiation anomalies; (6) Isolate affected systems where patching is delayed. Post-Remediation: Verify patch deployment, review system logs for exploitation attempts, and reset credentials on patched systems as a precaution.

Share

EUVD-2025-17673 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy