CVE-2022-25647
Deserialization of Untrusted Data vulnerability in com.google.code.gson:gson
What is CVE-2022-25647 About?
The `com.google.code.gson:gson` package before 2.8.9 is vulnerable to Deserialization of Untrusted Data via the `writeReplace()` method in internal classes. This flaw can be exploited to lead to denial of service attacks. Exploitation is moderately easy for an attacker who can control serialized input.
Affected Software
Technical Details
The vulnerability in `com.google.code.gson:gson` versions earlier than 2.8.9 lies within the `writeReplace()` method of internal classes during object serialization and deserialization. `writeReplace()` is a Java serialization mechanism that allows an object to substitute a replacement object during serialization. If an attacker can control the serialized input provided to the Gson library, they can craft malicious data that, when deserialized, triggers unintended behavior in `writeReplace()`. This could lead to resource exhaustion, infinite loops, or other stability issues, effectively causing a Denial of Service (DoS) by crashing the application or consuming excessive resources.
What is the Impact of CVE-2022-25647?
Successful exploitation may allow attackers to trigger denial of service conditions, leading to system unresponsiveness, application crashes, or resource exhaustion.
What is the Exploitability of CVE-2022-25647?
Exploitation of this vulnerability requires the ability to provide untrusted serialized data to an application that uses the vulnerable Gson library for deserialization. The complexity is moderate, as it involves crafting a specific payload that leverages `writeReplace()` in an internal class. No specific authentication or privilege requirements are strictly necessary, provided the attacker can submit the malicious serialized data. This can be a remote attack if the application exposes an endpoint that deserializes external input. Special conditions often involve applications that deserialize data from untrusted sources, such as API inputs, message queues, or persistent storage. Risk factors are increased when `com.google.code.gson:gson` is used in a server-side application that processes user-controlled structured data.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-25647?
About the Fix from Resolved Security
This patch prevents the direct Java deserialization of LazilyParsedNumber, LinkedHashTreeMap, and LinkedTreeMap by overriding their readObject methods to always throw InvalidObjectException, blocking unsafe object construction. This directly fixes CVE-2022-25647 by mitigating a deserialization vulnerability that could allow an attacker to execute code by supplying crafted serialized input, enforcing that only safe, intended replacements can be deserialized.
Available Upgrade Options
- com.google.code.gson:gson
- <2.8.9 → Upgrade to 2.8.9
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.debian.org/security/2022/dsa-5227
- https://github.com/google/gson/pull/1991/commits
- https://lists.debian.org/debian-lts-announce/2022/05/msg00015.html
- https://github.com/google/gson/pull/1991
- https://www.debian.org/security/2022/dsa-5227
- https://lists.debian.org/debian-lts-announce/2022/05/msg00015.html
- https://snyk.io/vuln/SNYK-JAVA-COMGOOGLECODEGSON-1730327
- https://osv.dev/vulnerability/GHSA-4jrv-ppp4-jm57
- https://security.netapp.com/advisory/ntap-20220901-0009/
- https://lists.debian.org/debian-lts-announce/2022/09/msg00009.html
What are Similar Vulnerabilities to CVE-2022-25647?
Similar Vulnerabilities: CVE-2017-7525 , CVE-2020-26938 , CVE-2020-8840 , CVE-2019-12384 , CVE-2019-14439
