CVE-2025-66214

HighPublic PoC

Published: 09 December 2025

Published

09 December 2025

Modified

17 December 2025

KEV Added

—

Patch

—

CVSS Score 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L

EPSS Score 0.0019 40.7th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

Ladybug adds message-based debugging, unit, system, and regression testing to Java applications. Versions prior to 3.0-20251107.114628 contain the APIs /iaf/ladybug/api/report/{storage} and /iaf/ladybug/api/report/upload, which allow uploading gzip-compressed XML files with user-controllable content. The system deserializes these XML files, enabling attackers to…

achieve Remote Code Execution (RCE) by submitting carefully crafted XML payloads and thereby gain access to the target server. This issue is fixed in version 3.0-20251107.114628.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the deserialization vulnerability by requiring timely application of the vendor fix in Ladybug version 3.0-20251107.114628.

SI-10 Information Input Validation good match

prevent

Requires validation of user-controllable gzip-compressed XML uploads to reject crafted payloads before deserialization and RCE.

SI-9 Information Input Restrictions partial match

prevent

Restricts unauthorized or excessive uploads to the vulnerable /iaf/ladybug/api/report endpoints, limiting opportunities for untrusted XML submission.

Security SummaryAI

Ladybug, a Java-based tool for adding message-based debugging, unit, system, and regression testing to applications, is affected by CVE-2025-66214 in versions prior to 3.0-20251107.114628. The vulnerability stems from the APIs /iaf/ladybug/api/report/{storage} and /iaf/ladybug/api/report/upload, which permit uploading gzip-compressed XML files containing user-controllable content. The system deserializes these files without sufficient validation, enabling remote code execution through crafted XML payloads (CWE-502: Deserialization of Untrusted Data).

Exploitation requires local access (AV:L), low privileges (PR:L), and high attack complexity (AC:H), with no user interaction needed (UI:N). Successful attackers can achieve remote code execution on the target server, resulting in high confidentiality impact (C:H), low integrity and availability impacts (I:L/A:L), and a changed scope (S:C), as reflected in the CVSS v3.1 base score of 7.0.

The GitHub security advisory (GHSA-f9fh-r3cv-398f) confirms the issue is resolved in Ladybug version 3.0-20251107.114628, recommending an upgrade to mitigate the deserialization flaw.

Details

CWE(s): CWE-502

Affected Products

wearefrank

ladybug

≤ 3.0-20251107.114628

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

The vulnerability enables low-privileged local users (PR:L, AV:L) to achieve remote code execution via unsafe deserialization of user-controlled XML payloads, directly facilitating Exploitation for Privilege Escalation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/wearefrank/ladybug/security/advisories/GHSA-f9fh-r3cv-398f
Exploit, Vendor Advisory · security-advisories@github.com
https://github.com/wearefrank/ladybug/security/advisories/GHSA-f9fh-r3cv-398f
Exploit, Vendor Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0