pac4j-core Affected by Java Deserialization Vulnerability
CVE-2023-25581

Currently unrated

Key Information:

Vendor

Pac4j

Status
Pac4j
Vendor
CVE Published:
10 October 2024

Badges

๐Ÿ‘พ Exploit Exists๐ŸŸฃ EPSS 19%๐Ÿ“ฐ News Worthy

What is CVE-2023-25581?

The pac4j-core module of the pac4j Java framework is affected by a critical Java deserialization vulnerability, identified as CVE-2023-25581. The vulnerability allows for potential remote code execution (RCE) attacks due to a flaw in the deserialization process. Systems running versions before 4.0 of pac4j-core are at risk, as an attacker could exploit the vulnerability by providing an attribute containing a serialized Java object with a special prefix and Base64 encoding. While a fix has been released in version 4.0.0, there are no known workarounds, and users are strongly advised to upgrade to the latest version to mitigate the risk. This vulnerability highlights the importance of secure coding practices and thorough validation of user-controlled data in software development.

Affected Version(s)

pac4j < 4.0.0

News Articles

favicon imageGBHackers

pac4j Java Framework Vulnerable to RCE Attacks

A critical security vulnerability has been discovered in the popular Java framework pac4j, affects versions before 4.0.

References

https://securitylab.github.com/advisories/GHSL-2022-085_p...
x_refsource_CONFIRM
https://github.com/frohoff/ysoserial
x_refsource_MISC
https://github.com/pac4j/pac4j/blob/5834aeb22ad3a4369dfa5...
x_refsource_MISC

EPSS Score

19% chance of being exploited in the next 30 days.

Timeline

  • ๐Ÿ‘พ

    Exploit known to exist

  • ๐Ÿ“ฐ

    First article discovered by GBHackers

  • Vulnerability published

  • Vulnerability Reserved

.