CVE-2024-56180

Critical

Published: 14 February 2025

Published

14 February 2025

Modified

14 July 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0054 67.8th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

CWE-502 Deserialization of Untrusted Data at the eventmesh-meta-raft plugin module in Apache EventMesh master branch without release version on windows\linux\mac os e.g. platforms allows attackers to send controlled message and remote code execute via hessian deserialization rpc protocol. Users can use the code under the master branch in project repo or version 1.11.0 to fix this issue.

Security Summary

CVE-2024-56180 is a CWE-502 Deserialization of Untrusted Data vulnerability in the eventmesh-meta-raft plugin module of Apache EventMesh master branch, excluding release versions, on Windows, Linux, and macOS platforms. The flaw allows attackers to send controlled messages that trigger remote code execution via the Hessian deserialization RPC protocol.

Remote attackers can exploit this vulnerability with network access, no privileges required, low attack complexity, and no user interaction needed. Exploitation yields high-impact confidentiality, integrity, and availability effects, resulting in a CVSS 3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Apache advisories indicate that users should apply the fixed code from the master branch in the project repository or upgrade to version 1.11.0 to mitigate the issue. Relevant discussions appear in the Apache mailing list and oss-security announcements.

Details

CWE(s): CWE-502

Affected Products

apache

eventmesh

1.10.1 — 1.11.0

References

https://lists.apache.org/thread/k9fw0t5r7t1vbx53gs8d1r8c54rhx0wd
Issue Tracking, Mailing List, Vendor Advisory · security@apache.org
http://www.openwall.com/lists/oss-security/2025/02/14/7
Mailing List, Third Party Advisory · af854a3a-2127-422b-91ae-364da2661108