CVE-2025-31129

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-31129
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-31129.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-31129
Aliases
Published
2025-03-31T19:15:43Z
Modified
2025-04-01T22:49:32.150816Z
Summary
[none]
Details

Jooby is a web framework for Java and Kotlin. The pac4j io.jooby.internal.pac4j.SessionStoreImpl#get module deserializes untrusted data. This vulnerability is fixed in 2.17.0 (2.x) and 3.7.0 (3.x).

References

Affected packages

Git / github.com/jooby-project/jooby

Affected ranges

Type
GIT
Repo
https://github.com/jooby-project/jooby
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
3e13562cf36d7407813eae464e0f4b598de15692

Affected versions

v0.*

v0.1.0
v0.10.0
v0.11.0
v0.11.1
v0.11.2
v0.14.0
v0.15.0
v0.15.1
v0.16.0
v0.2.0
v0.2.1
v0.3.0
v0.4.0
v0.4.1
v0.4.2
v0.5.0
v0.5.1
v0.5.3
v0.6.0
v0.6.1
v0.6.2
v0.6.3
v0.6.4
v0.8.0
v0.8.2
v0.9.0
v0.9.1
v0.9.2

v1.*

v1.0.0
v1.0.0.CR1
v1.0.0.CR2
v1.0.0.CR3
v1.0.0.CR4
v1.0.0.CR5
v1.0.0.CR6
v1.0.0.CR7
v1.0.0.CR8
v1.0.1
v1.0.2
v1.0.3
v1.1.0
v1.1.1
v1.1.2
v1.1.3
v1.2.0
v1.2.1
v1.2.2
v1.2.3
v1.3.0
v1.4.0
v1.4.1
v1.5.0

v2.*

v2.0.0
v2.0.0.M1
v2.0.0.M2
v2.0.0.M3
v2.0.0.RC1
v2.0.0.RC2
v2.0.0.RC3
v2.0.1
v2.0.2
v2.0.3
v2.0.4
v2.0.5
v2.0.6
v2.1.0
v2.10.0
v2.11.0
v2.12.0
v2.13.0
v2.14.0
v2.14.1
v2.14.2
v2.15.0
v2.15.1
v2.2.1
v2.3.0
v2.3.1
v2.4.0
v2.5.0
v2.5.1
v2.6.0
v2.6.2
v2.7.0
v2.7.1
v2.7.2
v2.7.3
v2.8.0
v2.8.1
v2.8.10
v2.8.2
v2.8.3
v2.8.4
v2.8.5
v2.8.6
v2.8.7
v2.8.8
v2.8.9
v2.9.0
v2.9.1
v2.9.2
v2.9.3
v2.9.4
v2.9.5
v2.9.6

v3.*

v3.0.0.M1
v3.0.0.M10
v3.0.0.M11
v3.0.0.M2
v3.0.0.M4
v3.0.0.M6
v3.0.0.M7
v3.0.0.M8
v3.0.0.M9
v3.0.1
v3.0.2
v3.0.3
v3.0.4
v3.0.5
v3.0.6
v3.0.7
v3.0.9
v3.1.0
v3.1.1
v3.1.2
v3.1.3
v3.2.0
v3.2.1
v3.2.3
v3.2.4
v3.2.5
v3.2.6
v3.2.7
v3.2.8
v3.2.9
v3.3.0
v3.3.1
v3.4.0
v3.4.2
v3.4.3
v3.5.0
v3.5.1
v3.5.3
v3.5.4
v3.5.5
v3.6.0
v3.6.1