How the CVE Works
The vulnerability in `jooby-pac4j` (versions < 2.17.0 and 3.0.0.M1 to < 3.7.0) arises due to insecure deserialization in the `SessionStoreImpl` class. When session data starts with the prefix "b64~", the `strToObject` function deserializes it without proper validation. Attackers can craft malicious session objects encoded in Base64, leading to arbitrary code execution when deserialized. The `SessionStoreImplget` method retrieves and processes these values, enabling Remote Code Execution (RCE) if an attacker injects a malicious payload.
A proof-of-concept (PoC) demonstrates this by deserializing a crafted object to execute system commands (e.g., launching calc.exe). The lack of proper input sanitization and use of unsafe Java deserialization (ObjectInputStream) allows this exploit.
DailyCVE Form
Platform: jooby-pac4j
Version: <2.17.0, 3.0.0-3.6.9
Vulnerability: RCE via deserialization
Severity: Critical
Date: 2025-04-01
What Undercode Say:
Exploitation:
1. Payload Crafting:
String payload = "b64~" + Base64.getEncoder().encodeToString(serializedMaliciousObject);
2. Session Injection:
POST /login HTTP/1.1 Cookie: SESSION=malicious_b64_payload
3. Trigger Deserialization:
SessionStoreImpl.get("malicious_key"); // Executes payload
Protection:
1. Patch Immediately:
<dependency> <groupId>io.jooby</groupId> <artifactId>jooby-pac4j</artifactId> <version>3.7.0</version> </dependency>
2. Input Validation:
if (value.startsWith("b64~")) {
throw new SecurityException("Blocked unsafe deserialization");
}
3. Use Safe Serialization: Replace `ObjectInputStream` with JSON/XML parsers.
Detection Commands:
grep -r "strToObject" /path/to/jooby-pac4j
java -jar ysoserial.jar CommonsCollections5 'calc' | base64
Mitigation Script:
public class SafeSessionStore extends SessionStoreImpl {
@Override
public Object get(String key) {
String value = super.get(key);
if (value != null && value.startsWith("b64~")) {
log.warn("Blocked deserialization attempt");
return null;
}
return value;
}
}
References:
References:
Reported By: https://github.com/advisories/GHSA-7c5v-895v-w4q5
Extra Source Hub:
Undercode
