LiveActive security incident?Get immediate response
CVE Record

CVE-2025-60887: An issue was discovered in Cista v0.15 and below.

An issue was discovered in Cista v0.15 and below. Insecure deserialization of untrusted input under certain conditions may lead to leaking of stack/heap addresses which may be used to bypass ASLR. Classes with pointer-like mechanics under the cista::raw namespace are prone to reference tampering, where Cista does not perform sufficient checks to safeguard against self-referencing pointers and referencing other data within the payload. The leak occurs if the deserialized values are observable by the attacker.

MediumCVSS 5.3Not KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

Cista v0.15 and earlier may reveal memory addresses when processing untrusted serialized data under certain conditions. The leak is not a direct takeover by itself, but could weaken memory protections and help chain attacks. Assess whether Cista processes attacker-controlled data in exposed services.

Executive priority

Treat as a targeted exposure review, not an emergency, unless Cista deserialization is internet-facing or reachable by untrusted users. Prioritize systems where memory disclosure could support a broader exploit chain.

Technical view

The issue is insecure deserialization involving pointer-like classes under cista::raw. Cista may not sufficiently prevent self-referencing pointers or references to other payload data. If attacker-observable after deserialization, stack or heap addresses may leak and potentially aid ASLR bypass. CVSS lists confidentiality impact only.

Likely exposure

Exposure is most likely where applications use Cista v0.15 or below to deserialize data supplied by remote or otherwise untrusted users, especially when deserialized values are returned, logged, or otherwise observable by the requester.

Exploitation context

The provided sources do not report active exploitation, and KEV status is false. Exploitation requires conditions where crafted serialized input is accepted and leaked deserialized values can be observed by the attacker.

Researcher notes

The record names CWE-502 and describes address disclosure through reference tampering. The affected CPE metadata is not populated, so product identification depends on dependency review rather than scanner matching alone.

Mitigation direction

  • Identify applications using Cista v0.15 or below.
  • Check the Cista project or maintainer guidance for fixed versions or recommended changes.
  • Avoid deserializing untrusted Cista payloads until guidance is applied.
  • Limit network exposure of services accepting serialized Cista input.
  • Reduce attacker visibility into deserialized values, logs, and error responses.

Validation and detection

  • Inventory dependencies and confirm any Cista version in use.
  • Review code paths that deserialize externally supplied Cista data.
  • Check for use of cista::raw pointer-like classes around untrusted payloads.
  • Verify whether deserialized values can be observed by users or logs.
  • Track the CVE record and referenced advisory for updates.
Prepared
Confidence
medium
Sources
3

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · medium confidence lookup

CWE-502: Code execution behavior lookup

Code execution and unsafe deserialization weaknesses often justify reviewing execution behavior and process telemetry. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2025-60887 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Medium
CVSS
5.3 (3.1)
Known Exploited
No
Published

Vector: CVSS:3.1/AC:L/AV:N/A:N/C:L/I:N/PR:N/S:U/UI:N

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
3Timeline events
1ADP providers
2Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: pocAutomatable: noTechnical Impact: partial

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
5.3CVSS 3.1MediumCVSS:3.1/AC:L/AV:N/A:N/C:L/I:N/PR:N/S:U/UI:N3.91.4mitre

Vulnerability scoring details

Base CVSS 3.1 score

5.3Medium
CVSS 3.1 vector shape for CVE-2025-60887Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.1/AC:L/AV:N/A:N/C:L/I:N/PR:N/S:U/UI:N

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
other:ssvc
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
n/an/an/aListed
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-502 · source CWE mapping

Deserialization of Untrusted Data

Deserialization of Untrusted Data represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.