Critical Patch Updates, security alerts, and vulnerability disclosures for Oracle Java SE.
The following vulnerabilities were addressed in the January 2025 Critical Patch Update for Java SE. All CVSS scores use CVSS v3.1.
| CVE ID | Component | Severity | CVSS | Vector | Description |
|---|---|---|---|---|---|
| CVE-2025-21893 | JNDI | Critical | 9.8 | Network/Low | Remote code execution via crafted LDAP referral response in JNDI lookup operations |
| CVE-2025-21847 | JSSE (TLS) | Critical | 9.1 | Network/Low | TLS handshake bypass allowing man-in-the-middle interception of encrypted connections |
| CVE-2025-21902 | JAXP | Critical | 9.0 | Network/Low | XML External Entity injection leading to server-side request forgery and data exfiltration |
| CVE-2025-21815 | RMI | Critical | 8.8 | Network/Low | Deserialization of untrusted data in RMI registry enabling arbitrary code execution |
| CVE-2025-21778 | Security (PKI) | Critical | 8.6 | Network/Low | Certificate validation bypass in X.509 path building allows forged certificate acceptance |
| CVE-2025-21834 | Hotspot (JIT) | High | 7.5 | Network/Low | JIT compiler optimization flaw causing type confusion in compiled methods |
| CVE-2025-21856 | Serialization | High | 7.5 | Network/Low | Object deserialization gadget chain in core libraries leading to denial of service |
| CVE-2025-21871 | 2D (ImageIO) | High | 7.3 | Network/Low | Heap buffer overflow when parsing malformed TIFF images via ImageIO |
| CVE-2025-21809 | Networking | High | 7.1 | Network/Low | HTTP/2 HPACK header compression implementation allows resource exhaustion |
| CVE-2025-21823 | JAXB | High | 7.0 | Network/High | XML unmarshalling vulnerability allowing class instantiation of arbitrary types |
| CVE-2025-21867 | Deployment | High | 6.8 | Network/High | JNLP file processing flaw enabling local privilege escalation via Web Start |
| CVE-2025-21881 | Security (JAAS) | High | 6.5 | Network/Low | Authentication bypass in Kerberos login module under specific realm configurations |
| CVE-2025-21912 | Swing | Medium | 5.3 | Network/Low | Information disclosure via crafted Swing component rendering in untrusted applets |
| CVE-2025-21798 | Sound | Medium | 5.0 | Local/Low | Out-of-bounds read in MIDI file parser leading to information leakage |
| CVE-2025-21845 | Scripting (Nashorn) | Medium | 4.8 | Network/High | Sandbox escape in Nashorn JavaScript engine under restricted security manager |
| CVE-2025-21889 | AWT | Medium | 4.3 | Network/Low | Denial of service via malformed font file processing in AWT subsystem |
| CVE-2025-21907 | Libraries | Medium | 3.7 | Network/High | Timing side-channel in BigInteger modular exponentiation implementation |
The following table indicates which Java SE versions are affected by the January 2025 CPU vulnerabilities:
| Java SE Version | Affected | Fixed In | End of Public Updates |
|---|---|---|---|
| Java SE 22.0.1 | No | N/A | September 2024 |
| Java SE 21.0.5 (LTS) | Yes | 21.0.6 | September 2028 |
| Java SE 17.0.13 (LTS) | Yes | 17.0.14 | September 2029 |
| Java SE 11.0.25 (LTS) | Yes | 11.0.26 | Extended Support |
| Java SE 8 Update 411 | Yes | 8 Update 421 | Extended Support |