{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2025-60889", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-28T15:16:37.966Z", "dateReserved": "2025-09-26T00:00:00.000Z", "datePublished": "2026-04-28T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-28T15:16:37.966Z"}, "descriptions": [{"lang": "en", "value": "Insecure deserialization of untrusted input in StellarGroup HPX 1.11.0 under certain conditions may allow attackers to execute arbitrary code or other unspecified impacts."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "http://hpx.com"}, {"url": "http://stellargroup.com"}, {"url": "https://gist.github.com/TrebledJ/b32fd5c469583493ab50244045c9a6e4"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}}, "dataVersion": "5.2"}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Insecure deserialization of untrusted input in StellarGroup HPX 1.11.0 under certain conditions may allow attackers to execute arbitrary code or other unspecified impacts."}], "id": "CVE-2025-60889", "lastModified": "2026-04-28T20:23:20.703", "metrics": {}, "published": "2026-04-28T16:16:05.763", "references": [{"source": "cve@mitre.org", "url": "http://hpx.com"}, {"source": "cve@mitre.org", "url": "http://stellargroup.com"}, {"source": "cve@mitre.org", "url": "https://gist.github.com/TrebledJ/b32fd5c469583493ab50244045c9a6e4"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Awaiting Analysis"}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T19:34:46.217120+00:00", "value": {"mitigation_remediation": ["Apply the vendor\u2011issued patch for HPX 1.11.0 as soon as it becomes available.", "If a patch is not yet released, disable or restrict the feature that accepts untrusted deserialization input.", "Implement strict input validation to ensure only properly formed, trusted data is processed.", "Monitor logs for anomalous deserialization activity and block suspicious payloads."], "summary": {"action": "Assess Impact", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "StellarGroup HPX version 1.11.0 is the only documented affected product. No additional vendors, product lines or patch versions are listed, so the scope is limited to that single component.", "description_and_impact": "The vulnerability is an insecure deserialization flaw that allows an attacker to supply crafted input to the StellarGroup HPX application, potentially causing the execution of arbitrary code. When the flaw is triggered, the originating attacker can subvert the confidentiality, integrity, and availability of the affected system, resulting in a full compromise of the environment running the vulnerable component. The description indicates that the issue surfaces under certain conditions, but the specific prerequisites for exploitation are not detailed in the available data.", "risk_and_exploitability": "The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The CVSS score is not disclosed, though the presence of arbitrary code execution implies a high severity rating. Based on the description, it is inferred that exploitation may be achieved remotely by supplying malicious data to the deserialization routine, although the exact attack vector is not specified. The risk to any system running the affected version is significant, especially if it is exposed to untrusted networks or users."}}}}, "created": "2026-04-28T19:45:07.589345+00:00", "title": "Insecure Deserialization Allows Arbitrary Code Execution in StellarGroup HPX 1.11.0", "updated": "2026-04-28T19:45:07.589357+00:00", "vendors": [], "weaknesses": ["CWE-502"]}