CVE Catalog

CVE-2025-60887

MediumCVSS 5.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.23%

13th percentile - higher than 13% of all known CVEs

Summary

An insecure deserialization vulnerability was discovered in Cista v0.15 and below. Under certain conditions, it may leak stack/heap addresses, allowing bypass of ASLR protection.

Risk Assessment

An attacker can exploit the memory address leak to bypass ASLR, increasing the risk of further attacks such as process hijacking.

Recommendation

Upgrade Cista to a version newer than 0.15 immediately. If an upgrade is not possible, avoid deserializing data from untrusted sources.

Original NVD description (English source)

An issue was discovered in Cista v0.15 and below. Insecure deserialization of untrusted input under certain conditions may lead to leaking of stack/heap addresses which may be used to bypass ASLR. Classes with pointer-like mechanics under the cista::raw namespace are prone to reference tampering, where Cista does not perform sufficient checks to safeguard against self-referencing pointers and referencing other data within the payload. The leak occurs if the deserialized values are observable by the attacker.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS