CVE-2025-46183
Published: 24 October 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-46183 is an insecure deserialization vulnerability in the Utils.deserialize function of pgCodeKeeper version 10.12.0. The function processes serialized data from untrusted sources, allowing a specially crafted .ser file to trigger unintended code execution or other malicious behavior on the target system. It carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N) and maps to CWE-502: Deserialization of Untrusted Data.
Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. By supplying a malicious .ser file to the deserialization process, they can achieve arbitrary code execution or similar malicious effects, leading to high integrity impact such as data tampering and low confidentiality impact.
Mitigation details are available in the disclosure advisory at https://github.com/hacktimepro/vulnerabilities/blob/main/Disclosure_CVE-2025-46183_pgcodekeeper.md.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability allows remote, unauthenticated exploitation of a public-facing deserialization flaw (CWE-502) in pgCodeKeeper, leading to arbitrary code execution, directly mapping to Exploit Public-Facing Application.