CVE-2025-60887: An issue was discovered in Cista v0.15 and below.
An issue was discovered in Cista v0.15 and below. Insecure deserialization of untrusted input under certain conditions may lead to leaking of stack/heap addresses which may be used to bypass ASLR. Classes with pointer-like mechanics under the cista::raw namespace are prone to reference tampering, where Cista does not perform sufficient checks to safeguard against self-referencing pointers and referencing other data within the payload. The leak occurs if the deserialized values are observable by the attacker.
Security readout for executives and security teams
Plain-English summary
Cista v0.15 and earlier may reveal memory addresses when processing untrusted serialized data under certain conditions. The leak is not a direct takeover by itself, but could weaken memory protections and help chain attacks. Assess whether Cista processes attacker-controlled data in exposed services.
Executive priority
Treat as a targeted exposure review, not an emergency, unless Cista deserialization is internet-facing or reachable by untrusted users. Prioritize systems where memory disclosure could support a broader exploit chain.
Technical view
The issue is insecure deserialization involving pointer-like classes under cista::raw. Cista may not sufficiently prevent self-referencing pointers or references to other payload data. If attacker-observable after deserialization, stack or heap addresses may leak and potentially aid ASLR bypass. CVSS lists confidentiality impact only.
Likely exposure
Exposure is most likely where applications use Cista v0.15 or below to deserialize data supplied by remote or otherwise untrusted users, especially when deserialized values are returned, logged, or otherwise observable by the requester.
Exploitation context
The provided sources do not report active exploitation, and KEV status is false. Exploitation requires conditions where crafted serialized input is accepted and leaked deserialized values can be observed by the attacker.
Researcher notes
The record names CWE-502 and describes address disclosure through reference tampering. The affected CPE metadata is not populated, so product identification depends on dependency review rather than scanner matching alone.
Mitigation direction
Identify applications using Cista v0.15 or below.
Check the Cista project or maintainer guidance for fixed versions or recommended changes.
Avoid deserializing untrusted Cista payloads until guidance is applied.
Limit network exposure of services accepting serialized Cista input.
Reduce attacker visibility into deserialized values, logs, and error responses.
Validation and detection
Inventory dependencies and confirm any Cista version in use.
Review code paths that deserialize externally supplied Cista data.
Check for use of cista::raw pointer-like classes around untrusted payloads.
Verify whether deserialized values can be observed by users or logs.
Track the CVE record and referenced advisory for updates.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · medium confidence lookup
CWE-502: Code execution behavior lookup
Code execution and unsafe deserialization weaknesses often justify reviewing execution behavior and process telemetry. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-502 · source CWE mapping
Deserialization of Untrusted Data
Deserialization of Untrusted Data represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.