CVE-2025-60889
Published: 28 April 2026
Summary
CVE-2025-60889 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Stellar-Group Hpx. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 42.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Deeper analysis
CVE-2025-60889 is an insecure deserialization vulnerability (CWE-502) in StellarGroup HPX version 1.11.0. The issue arises under certain conditions during deserialization of untrusted input, which may enable attackers to execute arbitrary code or cause other unspecified impacts. Published on 2026-04-28, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its high potential for remote exploitation with severe effects on confidentiality, integrity, and availability.
Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low attack complexity. Successful exploitation could allow arbitrary code execution on affected systems running HPX 1.11.0, potentially leading to full system compromise or the unspecified impacts noted in the description.
Mitigation guidance and additional details are available in advisories from http://hpx.com, http://stellargroup.com, and https://gist.github.com/TrebledJ/b32fd5c469583493ab50244045c9a6e4.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-209583
Vulnerability details
Insecure deserialization of untrusted input in StellarGroup HPX 1.11.0 under certain conditions may allow attackers to execute arbitrary code or other unspecified impacts.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Insecure deserialization (CWE-502) in a network-exposed service directly enables unauthenticated remote code execution, mapping to exploitation of public-facing applications.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-2 requires timely identification, reporting, and correction of flaws like CVE-2025-60889, directly eliminating the insecure deserialization vulnerability through patching.
SI-10 mandates validation of untrusted inputs prior to deserialization, preventing attackers from supplying malicious serialized data that leads to arbitrary code execution.
SI-16 enforces memory protections such as DEP and ASLR to block unauthorized code execution resulting from successful deserialization exploits in HPX.