Skip to main content

CVE-2025-49073: CWE-502 Deserialization of Untrusted Data in Axiomthemes Sweet Dessert

Critical
VulnerabilityCVE-2025-49073cvecve-2025-49073cwe-502
Published: Fri Jun 06 2025 (06/06/2025, 12:13:28 UTC)
Source: CVE Database V5
Vendor/Project: Axiomthemes
Product: Sweet Dessert

Description

Deserialization of Untrusted Data vulnerability in Axiomthemes Sweet Dessert allows Object Injection.This issue affects Sweet Dessert: from n/a before 1.1.13.

AI-Powered Analysis

AILast updated: 07/07/2025, 18:41:17 UTC

Technical Analysis

CVE-2025-49073 is a critical security vulnerability classified under CWE-502, which pertains to the deserialization of untrusted data. This vulnerability affects the Axiomthemes Sweet Dessert product, specifically versions prior to 1.1.13. Deserialization vulnerabilities occur when an application processes serialized data from untrusted sources without sufficient validation or sanitization, allowing attackers to manipulate the serialized objects. In this case, the vulnerability enables object injection, which can lead to remote code execution, privilege escalation, or other severe impacts on the affected system. The CVSS v3.1 score of 9.8 (critical) reflects the high severity of this flaw, with an attack vector that is network-based (AV:N), requiring no privileges (PR:N) and no user interaction (UI:N). The vulnerability affects confidentiality, integrity, and availability (C:H/I:H/A:H), indicating that exploitation could lead to full system compromise. Although no known exploits are currently reported in the wild, the lack of a patch at the time of publication increases the urgency for mitigation. The vulnerability is particularly dangerous because it allows attackers to send crafted serialized data to the Sweet Dessert application, which then deserializes it without proper validation, enabling arbitrary object injection and potentially executing malicious code within the context of the application or server environment.

Potential Impact

For European organizations using the Axiomthemes Sweet Dessert product, this vulnerability poses a significant risk. Exploitation could lead to unauthorized access to sensitive data, disruption of services, and potential lateral movement within corporate networks. Given the critical nature of the vulnerability and its ease of exploitation over the network without authentication or user interaction, attackers could compromise web servers hosting Sweet Dessert themes or plugins, leading to data breaches or defacement. This is particularly concerning for organizations in sectors such as e-commerce, hospitality, and content management where Sweet Dessert themes might be deployed. The impact extends beyond data loss to include reputational damage and regulatory penalties under GDPR if personal data is compromised. Additionally, the vulnerability could be leveraged as an entry point for more sophisticated attacks, including ransomware deployment or espionage, especially in high-value targets within Europe.

Mitigation Recommendations

Immediate mitigation steps include upgrading to Sweet Dessert version 1.1.13 or later once available, as this version is expected to address the deserialization flaw. Until a patch is released, organizations should implement network-level protections such as web application firewalls (WAFs) with custom rules to detect and block suspicious serialized payloads targeting the application. Restricting access to the Sweet Dessert application to trusted IP ranges and employing strict input validation and sanitization on any user-supplied data can reduce risk. Monitoring application logs for unusual deserialization attempts and anomalous behavior is critical for early detection. Additionally, organizations should conduct a thorough inventory to identify all instances of Sweet Dessert in their environment and prioritize remediation accordingly. Employing runtime application self-protection (RASP) solutions can also help detect and prevent exploitation attempts in real-time. Finally, educating development and operations teams about secure deserialization practices will help prevent similar vulnerabilities in the future.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
Patchstack
Date Reserved
2025-05-30T14:04:49.666Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 6842e15f1a426642debd4c9a

Added to database: 6/6/2025, 12:38:55 PM

Last enriched: 7/7/2025, 6:41:17 PM

Last updated: 8/14/2025, 7:57:03 AM

Views: 13

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats