CVE-2025-32897

Deserialization of Untrusted Data vulnerability in Apache Seata (incubating).<br /> <br /> This security vulnerability is the same as CVE-2024-47552, but the version range described in the CVE-2024-47552 definition is too narrow.<br /> This issue affects Apache Seata (incubating): from 2.0.0 before 2.3.0.<br /> <br /> Severity Justification:<br /> The Apache Seata security team assesses the severity of this vulnerability as "Low" due to stringent real-world mitigating factors. First, the vulnerability is strictly isolated to the Raft cluster mode, an optional and non-default feature introduced in v2.0.0, while most users rely on the unaffected traditional architecture. Second, Seata is an internal middleware; communication between TC and RM/TM occurs entirely within trusted internal networks. An attacker would require prior, unauthorized access to the Intranet to exploit this, making external exploitation highly improbable.<br /> Users are recommended to upgrade to version 2.3.0, which fixes the issue.