CVE-2025-60889 Stellar Group CVE debrief

Who should care

Organizations running HPX 1.11.0 or earlier in production environments, particularly those exposing HPX services to untrusted networks or processing serialized data from external sources.

Technical summary

CVE-2025-60889 is a critical insecure deserialization vulnerability (CWE-502) in StellarGroup HPX 1.11.0 and earlier. The vulnerability allows attackers to execute arbitrary code through crafted serialized input without authentication. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) indicates network-based exploitation with low attack complexity, no privileges required, no user interaction, and high impact to confidentiality, integrity, and availability. Affected CPE: cpe:2.3:a:stellar-group:hpx:*:*:*:*:*:*:*:* versions up to 1.11.0.

Defensive priority

critical

Recommended defensive actions

• Upgrade HPX to a version newer than 1.11.0 when available from the vendor.
• Implement strict input validation and sanitization for all serialized data inputs.
• Apply principle of least privilege to HPX service accounts and network segments.
• Monitor for anomalous deserialization activity and unexpected process execution.
• Review application logs for suspicious serialized object patterns.

Evidence notes

The vulnerability affects HPX versions up to and including 1.11.0 per NVD CPE criteria. The CWE-502 classification confirms insecure deserialization as the root cause. Multiple sources reference a third-party exploit advisory.

Official resources