Common Weakness Enumeration

CWE-502

Allowed

Deserialization of Untrusted Data

Abstraction: Base · Status: Draft

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

4802 vulnerabilities reference this CWE, most recent first.

GHSA-84XX-9G7M-WH84

Vulnerability from github – Published: 2025-04-28 18:30 – Updated: 2025-04-28 18:30
VLAI
Details

DevExpress before 23.1.3 does not properly protect XtraReport serialized data in ASP.NET web forms.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-35814"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-28T16:15:25Z",
    "severity": "LOW"
  },
  "details": "DevExpress before 23.1.3 does not properly protect XtraReport serialized data in ASP.NET web forms.",
  "id": "GHSA-84xx-9g7m-wh84",
  "modified": "2025-04-28T18:30:56Z",
  "published": "2025-04-28T18:30:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35814"
    },
    {
      "type": "WEB",
      "url": "https://code-white.com/public-vulnerability-list"
    },
    {
      "type": "WEB",
      "url": "https://supportcenter.devexpress.com/ticket/details/t1141158/missing-protection-of-xtrareport-serialized-data-in-asp-net-web-forms"
    },
    {
      "type": "WEB",
      "url": "https://supportcenter.devexpress.com/ticket/details/t1158413/the-allowpassingdatasourceconnectionparameterstoclient-method-may-allow-untrusted-access"
    },
    {
      "type": "WEB",
      "url": "https://supportcenter.devexpress.com/ticket/details/t1160535/web-reporting-well-formed-request-to-a-report-control-s-backend-can-use"
    },
    {
      "type": "WEB",
      "url": "https://supportcenter.devexpress.com/ticket/details/t394936/devexpress-security-advisory-updated-on-april-27-2023"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-853F-X27W-8R74

Vulnerability from github – Published: 2022-05-24 17:17 – Updated: 2023-08-21 19:53
VLAI
Summary
OpenNMS Horizon RCE via Unsafe Deserialization
Details

An issue was discovered in OpenNMS Horizon before 26.0.1, and Meridian before 2018.1.19 and 2019 before 2019.1.7. The ActiveMQ channel configuration allowed for arbitrary deserialization of Java objects (aka ActiveMQ Minion payload deserialization), leading to remote code execution for any authenticated channel user regardless of its assigned permissions.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.opennms.core:org.opennms.core.daemon"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "26.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-12760"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-07-13T00:25:26Z",
    "nvd_published_at": "2020-05-11T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in OpenNMS Horizon before 26.0.1, and Meridian before 2018.1.19 and 2019 before 2019.1.7. The ActiveMQ channel configuration allowed for arbitrary deserialization of Java objects (aka ActiveMQ Minion payload deserialization), leading to remote code execution for any authenticated channel user regardless of its assigned permissions.",
  "id": "GHSA-853f-x27w-8r74",
  "modified": "2023-08-21T19:53:38Z",
  "published": "2022-05-24T17:17:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-12760"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OpenNMS/opennms/pull/2983"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OpenNMS/opennms/commit/e21fc14ce355533493da0db815bd81a66e291382"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/OpenNMS/opennms"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OpenNMS/opennms/releases/tag/opennms-26.0.1-1"
    },
    {
      "type": "WEB",
      "url": "https://issues.opennms.org/browse/NMS-12673"
    },
    {
      "type": "WEB",
      "url": "https://www.opennms.com/en/blog/2020-04-29-opennms-horizon-26-0-1-luchador-released"
    },
    {
      "type": "WEB",
      "url": "https://www.opennms.com/en/blog/2020-04-29-opennms-meridian-2018-1-18-wildfire-released"
    },
    {
      "type": "WEB",
      "url": "https://www.opennms.com/en/blog/2020-04-29-opennms-meridian-2019-1-6-europa-released"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OpenNMS Horizon RCE via Unsafe Deserialization"
}

GHSA-857V-XVH8-7HJC

Vulnerability from github – Published: 2026-07-06 09:30 – Updated: 2026-07-06 21:30
VLAI
Details

Deserialization of Untrusted Data vulnerability in Apache Camel PQC component.

The camel-pqc component persists post-quantum key metadata (KeyMetadata) through pluggable KeyLifecycleManager implementations. HashicorpVaultKeyLifecycleManager and AwsSecretsManagerKeyLifecycleManager read that metadata back from the configured secret backend by deserializing a Base64-wrapped value with a raw java.io.ObjectInputStream.readObject() and no ObjectInputFilter or class allow-list; the cast to KeyMetadata happens only after readObject() returns, so any readObject() side effects in a crafted object run before the type check. The same unfiltered legacy-migration read also remained in FileBasedKeyLifecycleManager (for the stored KeyPair and KeyMetadata). A principal who can write to the operator-controlled backend that holds these values - the HashiCorp Vault KV path, or the AWS Secrets Manager secret (requiring a Vault token or secretsmanager:PutSecretValue) - could store a crafted serialized object that is deserialized during normal key-lifecycle operations, potentially leading to code execution in the context of the application that manages the keys. This is an incomplete-remediation follow-on to CVE-2026-40048 (CAMEL-23200), which changed FileBasedKeyLifecycleManager to store metadata as JSON / PKCS#8 / X.509 but did not add an ObjectInputFilter, did not cover the Vault and AWS sibling managers, and left FileBasedKeyLifecycleManager's own legacy-migration deserialization unfiltered. This issue affects Apache Camel: from 4.18.0 before 4.18.3, from 4.19.0 before 4.21.0.

Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.18.x LTS releases stream, then they are suggested to upgrade to 4.18.3. For deployments that cannot upgrade immediately, restrict write access to the key backend so that only the application's own identity can write the camel-pqc secrets (least-privilege HashiCorp Vault policies and secretsmanager:PutSecretValue IAM), and keep the PQC key material in a backend separate from any data that less-trusted principals can write.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-46590"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-06T09:16:37Z",
    "severity": "HIGH"
  },
  "details": "Deserialization of Untrusted Data vulnerability in Apache Camel PQC component.\n\nThe camel-pqc component persists post-quantum key metadata (KeyMetadata) through pluggable KeyLifecycleManager implementations. HashicorpVaultKeyLifecycleManager and AwsSecretsManagerKeyLifecycleManager read that metadata back from the configured secret backend by deserializing a Base64-wrapped value with a raw java.io.ObjectInputStream.readObject() and no ObjectInputFilter or class allow-list; the cast to KeyMetadata happens only after readObject() returns, so any readObject() side effects in a crafted object run before the type check. The same unfiltered legacy-migration read also remained in FileBasedKeyLifecycleManager (for the stored KeyPair and KeyMetadata). A principal who can write to the operator-controlled backend that holds these values - the HashiCorp Vault KV path, or the AWS Secrets Manager secret (requiring a Vault token or secretsmanager:PutSecretValue) - could store a crafted serialized object that is deserialized during normal key-lifecycle operations, potentially leading to code execution in the context of the application that manages the keys. This is an incomplete-remediation follow-on to CVE-2026-40048 (CAMEL-23200), which changed FileBasedKeyLifecycleManager to store metadata as JSON / PKCS#8 / X.509 but did not add an ObjectInputFilter, did not cover the Vault and AWS sibling managers, and left FileBasedKeyLifecycleManager\u0027s own legacy-migration deserialization unfiltered.\nThis issue affects Apache Camel: from 4.18.0 before 4.18.3, from 4.19.0 before 4.21.0.\n\nUsers are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.18.x LTS releases stream, then they are suggested to upgrade to 4.18.3. For deployments that cannot upgrade immediately, restrict write access to the key backend so that only the application\u0027s own identity can write the camel-pqc secrets (least-privilege HashiCorp Vault policies and secretsmanager:PutSecretValue IAM), and keep the PQC key material in a backend separate from any data that less-trusted principals can write.",
  "id": "GHSA-857v-xvh8-7hjc",
  "modified": "2026-07-06T21:30:36Z",
  "published": "2026-07-06T09:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46590"
    },
    {
      "type": "WEB",
      "url": "https://camel.apache.org/security/CVE-2026-46590.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-858X-9QCF-CW8V

Vulnerability from github – Published: 2022-05-14 03:40 – Updated: 2022-05-14 03:40
VLAI
Details

A Remote Code Execution vulnerability in HPE intelligent Management Center (iMC) PLAT version IMC Plat 7.3 E0504P2 and earlier was found.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-12558"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-02-15T22:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "A Remote Code Execution vulnerability in HPE intelligent Management Center (iMC) PLAT version IMC Plat 7.3 E0504P2 and earlier was found.",
  "id": "GHSA-858x-9qcf-cw8v",
  "modified": "2022-05-14T03:40:11Z",
  "published": "2022-05-14T03:40:11Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12558"
    },
    {
      "type": "WEB",
      "url": "https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03778en_us"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/101152"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1039495"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-85CW-HJ65-QQV9

Vulnerability from github – Published: 2019-09-23 18:33 – Updated: 2023-09-13 18:22
VLAI
Summary
Polymorphic Typing issue in FasterXML jackson-databind
Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10, 2.8.11.5, and 2.6.7.3. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.fasterxml.jackson.core:jackson-databind"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.9.0"
            },
            {
              "fixed": "2.9.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.fasterxml.jackson.core:jackson-databind"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.7.0"
            },
            {
              "fixed": "2.8.11.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.fasterxml.jackson.core:jackson-databind"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.6.7.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-16335"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2019-09-19T09:22:56Z",
    "nvd_published_at": "2019-09-15T22:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10, 2.8.11.5, and 2.6.7.3. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.",
  "id": "GHSA-85cw-hj65-qqv9",
  "modified": "2023-09-13T18:22:46Z",
  "published": "2019-09-23T18:33:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16335"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FasterXML/jackson-databind/issues/2449"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FasterXML/jackson-databind/commit/73c1c2cc76e6cdd7f3a5615cbe3207fe96e4d3db"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2019:3200"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2019/10/msg00001.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q7CANA7KV53JROZDX5Z5P26UG5VN2K43"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TH5VFUN4P7CCIP7KSEXYA5MUTFCUDUJT"
    },
    {
      "type": "WEB",
      "url": "https://seclists.org/bugtraq/2019/Oct/6"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20191004-0002"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2019/dsa-4542"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpujan2020.html"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpujul2020.html"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2020:0159"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2020:0160"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2020:0161"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2020:0164"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2020:0445"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2020:0729"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/FasterXML/jackson-databind"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/0fcef7321095ce0bc597d468d150cff3d647f4cb3aef3bd4d20e1c69@%3Ccommits.tinkerpop.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/40c00861b53bb611dee7d6f35f864aa7d1c1bd77df28db597cbf27e1@%3Cissues.hbase.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/a360b46061c91c5cad789b6c3190aef9b9f223a2b75c9c9f046fe016@%3Cissues.hbase.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/ad0d238e97a7da5eca47a014f0f7e81f440ed6bf74a93183825e18b9@%3Cissues.hbase.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/dc6b5cad721a4f6b3b62ed1163894941140d9d5656140fb757505ca0@%3Cissues.hbase.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/e90c3feb21702e68a8c08afce37045adb3870f2bf8223fa403fb93fb@%3Ccommits.hbase.apache.org%3E"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Polymorphic Typing issue in FasterXML jackson-databind"
}

GHSA-85QJ-F5WG-RWP9

Vulnerability from github – Published: 2026-06-23 21:30 – Updated: 2026-06-23 21:30
VLAI
Details

Spring Statemachine's Kryo-based persistence backends (JPA, MongoDB, Redis and ZooKeeper) deserialise persisted state-machine contexts without enforcing a class allowlist (CWE-502, deserialisation of untrusted data), which can lead to remote code execution inside the application JVM.

Affected versions: Spring Statemachine 4.0.0 through 4.0.1 Spring Statemachine 3.2.0 through 3.2.4

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-41862"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-23T21:16:57Z",
    "severity": "HIGH"
  },
  "details": "Spring Statemachine\u0027s Kryo-based persistence backends (JPA, MongoDB, Redis and ZooKeeper) deserialise persisted state-machine contexts without enforcing a class allowlist (CWE-502, deserialisation of untrusted data), which can lead to remote code execution inside the application JVM.\n\nAffected versions:\nSpring Statemachine 4.0.0 through 4.0.1\nSpring Statemachine 3.2.0 through 3.2.4",
  "id": "GHSA-85qj-f5wg-rwp9",
  "modified": "2026-06-23T21:30:32Z",
  "published": "2026-06-23T21:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41862"
    },
    {
      "type": "WEB",
      "url": "https://spring.io/security/cve-2026-41862"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-85XP-WWWC-66G8

Vulnerability from github – Published: 2026-03-25 18:31 – Updated: 2026-03-26 18:31
VLAI
Details

Deserialization of Untrusted Data vulnerability in NooTheme Organici Library noo-organici-library allows Object Injection.This issue affects Organici Library: from n/a through <= 2.1.2.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-24976"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-25T17:16:39Z",
    "severity": "HIGH"
  },
  "details": "Deserialization of Untrusted Data vulnerability in NooTheme Organici Library noo-organici-library allows Object Injection.This issue affects Organici Library: from n/a through \u003c= 2.1.2.",
  "id": "GHSA-85xp-wwwc-66g8",
  "modified": "2026-03-26T18:31:33Z",
  "published": "2026-03-25T18:31:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24976"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Plugin/noo-organici-library/vulnerability/wordpress-organici-library-plugin-2-1-2-php-object-injection-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-862M-5253-832R

Vulnerability from github – Published: 2025-06-05 01:19 – Updated: 2025-06-05 01:19
VLAI
Summary
Auth0 Wordpress Plugin vulnerable to Deserialization of Untrusted Data
Details

Overview The Auth0 Wordpress plugin contains a critical vulnerability due to insecure deserialization of cookie data. If exploited, since SDKs process cookie content without prior authentication, a threat actor could send a specially crafted cookie containing malicious serialized data.

Am I Affected? You are affected by this vulnerability if you meet the following preconditions:

  1. Applications using the Auth0 WordPress plugin, versions between 5.0.0 BETA-0 to 5.0.1.
  2. Auth0 WordPress plugin uses the Auth0-PHP SDK with version 8.0.0-BETA3 to 8.3.0.

Fix Upgrade the Auth0 WordPress plugin to the latest version (v5.3.0).

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.0.1"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "auth0/wordpress"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0-BETA0"
            },
            {
              "fixed": "5.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-06-05T01:19:24Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "**Overview**\nThe Auth0 Wordpress plugin contains a critical vulnerability due to insecure deserialization of cookie data. If exploited, since SDKs process cookie content without prior authentication, a threat actor could send a specially crafted cookie containing malicious serialized data.\n\n**Am I Affected?**\nYou are affected by this vulnerability if you meet the following preconditions:\n\n1. Applications using the Auth0 WordPress plugin, versions between 5.0.0 BETA-0 to 5.0.1. \n2. Auth0 WordPress plugin uses the Auth0-PHP SDK with version 8.0.0-BETA3 to 8.3.0.\n\n**Fix**\nUpgrade the Auth0 WordPress plugin to the latest version (v5.3.0).",
  "id": "GHSA-862m-5253-832r",
  "modified": "2025-06-05T01:19:24Z",
  "published": "2025-06-05T01:19:24Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/auth0/auth0-PHP/security/advisories/GHSA-v9m8-9xxp-q492"
    },
    {
      "type": "WEB",
      "url": "https://github.com/auth0/laravel-auth0/security/advisories/GHSA-c42h-56wx-h85q"
    },
    {
      "type": "WEB",
      "url": "https://github.com/auth0/symfony/security/advisories/GHSA-98j6-67v3-mw34"
    },
    {
      "type": "WEB",
      "url": "https://github.com/auth0/wordpress/security/advisories/GHSA-862m-5253-832r"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48951"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/auth0/wordpress"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Auth0 Wordpress Plugin vulnerable to Deserialization of Untrusted Data"
}

GHSA-86CP-MGJ2-W853

Vulnerability from github – Published: 2022-05-24 19:03 – Updated: 2023-11-15 21:35
VLAI
Details

Deserialization of untrusted data vulnerability in McAfee Database Security (DBSec) prior to 4.8.2 allows a remote unauthenticated attacker to create a reverse shell with administrator privileges on the DBSec server via carefully constructed Java serialized object sent to the DBSec server.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-23894"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-06-02T13:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Deserialization of untrusted data vulnerability in McAfee Database Security (DBSec) prior to 4.8.2 allows a remote unauthenticated attacker to create a reverse shell with administrator privileges on the DBSec server via carefully constructed Java serialized object sent to the DBSec server.",
  "id": "GHSA-86cp-mgj2-w853",
  "modified": "2023-11-15T21:35:01Z",
  "published": "2022-05-24T19:03:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23894"
    },
    {
      "type": "WEB",
      "url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10359"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-86H2-47XR-3W77

Vulnerability from github – Published: 2025-04-08 21:31 – Updated: 2025-04-08 21:31
VLAI
Details

ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-30285"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-08T20:15:26Z",
    "severity": "HIGH"
  },
  "details": "ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
  "id": "GHSA-86h2-47xr-3w77",
  "modified": "2025-04-08T21:31:41Z",
  "published": "2025-04-08T21:31:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30285"
    },
    {
      "type": "WEB",
      "url": "https://helpx.adobe.com/security/products/coldfusion/apsb25-15.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design Implementation

If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.

Mitigation
Implementation

When deserializing data, populate a new object rather than just deserializing. The result is that the data flows through safe input validation and that the functions are safe.

Mitigation
Implementation

Explicitly define a final object() to prevent deserialization.

Mitigation
Architecture and Design Implementation
  • Make fields transient to protect them from deserialization.
  • An attempt to serialize and then deserialize a class containing transient fields will result in NULLs where the transient data should be. This is an excellent way to prevent time, environment-based, or sensitive variables from being carried over and used improperly.
Mitigation
Implementation

Avoid having unnecessary types or gadgets (a sequence of instances and method invocations that can self-execute during the deserialization process, often found in libraries) available that can be leveraged for malicious ends. This limits the potential for unintended or unauthorized types and gadgets to be leveraged by the attacker. Add only acceptable classes to an allowlist. Note: new gadgets are constantly being discovered, so this alone is not a sufficient mitigation.

Mitigation
Architecture and Design Implementation

Employ cryptography of the data or code for protection. However, it's important to note that it would still be client-side security. This is risky because if the client is compromised then the security implemented on the client (the cryptography) can be bypassed.

Mitigation MIT-29
Operation

Strategy: Firewall

Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].

CAPEC-586: Object Injection

An adversary attempts to exploit an application by injecting additional, malicious content during its processing of serialized objects. Developers leverage serialization in order to convert data or state into a static, binary format for saving to disk or transferring over a network. These objects are then deserialized when needed to recover the data/state. By injecting a malformed object into a vulnerable application, an adversary can potentially compromise the application by manipulating the deserialization process. This can result in a number of unwanted outcomes, including remote code execution.