CVE-2025-15222— Dromara Sa-Token SaSerializerTemplateForJdkUseBase64.java ObjectInputStream.readObject deserialization

CVSS 5.0 · Medium EPSS 0.10% · P26 Updated Jan 03, 2026

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2025-15222

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

Dromara Sa-Token SaSerializerTemplateForJdkUseBase64.java ObjectInputStream.readObject deserialization

Source: NVD (National Vulnerability Database)

Vulnerability Description

A vulnerability has been found in Dromara Sa-Token up to 1.44.0. This issue affects the function ObjectInputStream.readObject of the file SaSerializerTemplateForJdkUseBase64.java. Such manipulation leads to deserialization. The attack can be executed remotely. This attack is characterized by high complexity. The exploitability is assessed as difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Source: NVD (National Vulnerability Database)

CVSS Information

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

Source: NVD (National Vulnerability Database)

Vulnerability Type

可信数据的反序列化

Source: NVD (National Vulnerability Database)

Vulnerability Title

Sa-Token 代码问题漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

Sa-Token是dromara开源的一个轻量级 Java 权限认证框架。 Sa-Token 1.44.0及之前版本存在代码问题漏洞，该漏洞源于对文件SaSerializerTemplateForJdkUseBase64.java中函数ObjectInputStream.readObject的错误操作，可能导致反序列化攻击。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
Dromara	Sa-Token	1.0	-

II. Public POCs for CVE-2025-15222

#	POC Description	Source Link	Shenlong Link

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2025-15222

请登录查看更多情报信息。

https://github.com/Yohane-Mashiro/satoken-deserializationexploit
https://vuldb.com/?ctiid.338607signaturepermissions-required
https://vuldb.com/?id.338607vdb-entrytechnical-description
https://nvd.nist.gov/vuln/detail/CVE-2025-15222

IV. Related Vulnerabilities

Same product: Sa-Token

CVE-2025-15117
Dromara Sa-Token SaJdkSerializer.java ObjectInputStream.read

Same vendor: Dromara

Same weakness: CWE-502

V. Comments for CVE-2025-15222

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2025-15222— Dromara Sa-Token SaSerializerTemplateForJdkUseBase64.java ObjectInputStream.readObject deserialization

I. Basic Information for CVE-2025-15222

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2025-15222

III. Intelligence Information for CVE-2025-15222

IV. Related Vulnerabilities

V. Comments for CVE-2025-15222

Leave a comment