^{CVE-2025-3413:}Remote deserialization vulnerability in opplus springboot-admin ( SysGeneratorController.java ) allows an attacker to manipulate the Tables argument to trigger deserialization and potentially gain code execution. The flaw affects the indicated build of opplus springboot-admin, is classified as critical with remote exploitability, and information about exact affected/unaffected releases is not available due to lack of versioning. Exploitation details have been disclosed publicly.

A vulnerability has been identified in opplus springboot-admin up to the build a2d5310f44fd46780a8686456cf2f9001ab8f024 where the code path in SysGeneratorController.java processes a Tables argument in a way that enables deserialization of untrusted data. This deserialization flaw can be triggered remotely by crafting input that is deserialized by the application, leading to potential arbitrary code execution on affected systems. The issue is categorized under CWE-502 Deserialization and CWE-20 Improper Input Validation. The vendor has not publicly provided versioned fixes, and the record notes that no versioning information is available for affected vs. unaffected releases. The vulnerability is rated Medium to High across CVSS metrics (CVSS v3.1 base score 6.3; CVSS v3.0 base score 6.3; CVSS v2.0 base score 6.5), reflecting the potential impact and remote exploitability. Public disclosures and indicators of compromise exist, underscoring the need for mitigations and monitoring.

Overview

This CVE describes a critical remote deserialization vulnerability in opplus springboot-admin, specifically in the SysGeneratorController.java logic where the Tables argument can be manipulated to trigger deserialization of untrusted data. The vulnerability permits remote attackers to exploit the flaw without authentication and could lead to arbitrary code execution on vulnerable deployments. The affected build is identified by a2d5310f44fd46780a8686456cf2f9001ab8f024, with no official versioning details provided for patched releases. The issue is associated with deserialization (CWE-502) and inadequate input validation (CWE-20), and public disclosures indicate the exploit has been made available to the community. Given the remote exposure and potential impact, this vulnerability warrants urgent attention where such software is deployed.

Remediation

• Check for an official patch or updated build from the vendor; apply any available security updates or fixed releases as soon as they are published.
• If patches are not available, implement strict input controls around the Tables parameter and disable or constrain deserialization of untrusted data in SysGeneratorController.java.
• Replace or harden the deserialization process by using safe, non-deserialization-based data handling (for example, using explicit parsers for structured input rather than object deserialization).
• Implement allowlisting of permissible classes and types during deserialization, and enable a deserialization firewall or security manager where feasible.
• Introduce network-level mitigations: place the affected service behind a WAF or reverse proxy with deserialization and parameter tampering protections; restrict inbound access to trusted networks.
• Reduce the attack surface by isolating the application with least-privilege execution and container/container-orchestration limits; monitor for anomalous Tables parameter usage.
• Enable and review logging and monitoring for deserialization errors, suspicious payloads, and unusual activity targeting the SysGeneratorController endpoint; establish alerting for potential exploitation attempts.
• Consider code-level refactors to remove direct deserialization of user-supplied input, and conduct a security review or third-party assessment focused on input handling and deserialization pathways.
• If feasible, rotate credentials and review access tokens associated with the affected service, and perform a broad vulnerability scan and remediation verification after applying controls or patches.

References

• https://vuldb.com/?id.303691 — VDB-303691 | opplus springboot-admin SysGeneratorController.java code deserialization
• https://vuldb.com/?ctiid.303691 — VDB-303691 | CTI Indicators (IOB, IOC, IOA)
• https://vuldb.com/?submit.545374 — Submit #545374 | https://github.com/opplus/springboot-admin springboot-admin 1 RCE
• https://github.com/mapl3miss/Vul/blob/main/Vul.md — Exploit reference for the vulnerability