GHSA-7c5v-895v-w4q5

Source

https://github.com/advisories/GHSA-7c5v-895v-w4q5

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-7c5v-895v-w4q5/GHSA-7c5v-895v-w4q5.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-7c5v-895v-w4q5

Aliases

CVE-2025-31129

Published

2025-04-01T14:19:43Z

Modified

2025-04-01T15:01:54.395152Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator

Summary

jooby-pac4j: deserialization of untrusted data

Details

Impact

Versions after 2.x and before 3.x of io.jooby:jooby-pac4j can cause deserialization of untrusted data

Patches

2.17.0 (2.x)
3.7.0 (3.x)

Workarounds

Not using io.jooby:jooby-pac4j until it gets patches.
Check what values you put/save on session

References

Version 2.x:

https://github.com/jooby-project/jooby/blob/v2.x/modules/jooby-pac4j/src/main/java/io/jooby/internal/pac4j/SessionStoreImpl.java#L39-L45

Version 3.x: https://github.com/jooby-project/jooby/blob/v3.6.1/modules/jooby-pac4j/src/main/java/io/jooby/internal/pac4j/SessionStoreImpl.java#L77-L84

Cause

In module pac4j io.jooby.internal.pac4j.SessionStoreImpl#get , it is used to handle sessions , and trying to get key value. In strToObject function ,it's trying to deserialize value when value starts with "b64~" , which might cause deserialization of untrusted data.

modules/jooby-pac4j/src/main/java/io/jooby/internal/pac4j/SessionStoreImpl.java

Here's a small demo using SessionStoreImpl#get to handle sessions ,and user can pass parameters.

屏幕截图 2025-03-25 051325

And following below is exploiting successfully(execute calculator)

屏幕截图 2025-03-24 015128（1）

Database specific

{
    "nvd_published_at": "2025-03-31T19:15:43Z",
    "cwe_ids": [
        "CWE-502"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2025-04-01T14:19:43Z"
}

References

Affected packages

Maven / io.jooby:jooby-pac4j

Package

Name: io.jooby:jooby-pac4j; View open source insights on deps.dev
Purl: pkg:maven/io.jooby/jooby-pac4j

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.17.0

Affected versions

2.*

2.4.0

2.5.0

2.5.1

2.6.0

2.6.1

2.6.2

2.7.0

2.7.1

2.7.2

2.7.3

2.8.0

2.8.1

2.8.2

2.8.3

2.8.4

2.8.5

2.8.6

2.8.7

2.8.8

2.8.9

2.8.10

2.9.0

2.9.1

2.9.2

2.9.3

2.9.4

2.9.5

2.9.6

2.10.0

2.11.0

2.12.0

2.13.0

2.14.0

2.14.1

2.14.2

2.15.0

2.15.1

2.16.0

2.16.1

2.16.2

2.16.3

2.16.4

Maven / io.jooby:jooby-pac4j

Package

Name: io.jooby:jooby-pac4j; View open source insights on deps.dev
Purl: pkg:maven/io.jooby/jooby-pac4j

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.0.0.M1

Fixed

3.7.0

Affected versions

3.*

3.0.0.M1

3.0.0.M2

3.0.0.M3

3.0.0.M4

3.0.0.M5

3.0.0.M6

3.0.0.M7

3.0.0.M9

3.0.0.M11

3.0.0

3.0.1

3.0.2

3.0.3

3.0.4

3.0.5

3.0.6

3.0.7

3.0.8

3.0.9

3.0.10

3.1.0

3.1.1

3.1.2

3.1.3

3.1.4

3.2.0

3.2.1

3.2.2

3.2.3

3.2.4

3.2.5

3.2.6

3.2.7

3.2.8

3.2.9

3.3.0

3.3.1

3.4.0

3.4.1

3.4.2

3.4.3

3.5.0

3.5.1

3.5.2

3.5.3

3.5.4

3.5.5

3.6.0

3.6.1