Deserialization in Google Gson
CVE-2022-25647
The package com.google.code.gson:gson before 2.8.9 are vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to DoS attacks.
Vulnerability class: Insecure Deserialization
EPSS: 0.029 (86.6th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 7.7 (High). Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H.
Affected products
- Google Gson
- Netapp Active_iq_unified_manager
- Oracle Financial_services_crime_and_compliance_management_studio — versions 8.0.8.2.0, 8.0.8.3.0
- Oracle Graalvm — versions 20.3.6, 21.3.2, 22.1.0
- Oracle Retail_order_broker — versions 18.0, 19.1
- Debian Debian_linux — versions 9.0, 10.0, 11.0
- N/a Com.google.code.gson:gson — versions unspecified
Weakness classification (CWE)
Public proof-of-concept exploits
References
- report@snyk.io (Third Party Advisory, x_refsource_MISC)
- report@snyk.io (Patch, Third Party Advisory, x_refsource_MISC)
- report@snyk.io (Patch, Third Party Advisory, x_refsource_MISC)
- report@snyk.io (mailing-list, x_refsource_MLIST, Mailing List, Third Party Advisory)
- report@snyk.io (Patch, Third Party Advisory, x_refsource_MISC)
- report@snyk.io (x_refsource_CONFIRM, Third Party Advisory)
- report@snyk.io (mailing-list, x_refsource_MLIST, Third Party Advisory)
- report@snyk.io (vendor-advisory, Third Party Advisory, x_refsource_DEBIAN)
Frequently asked questions
- What is CVE-2022-25647?
- CVE-2022-25647 is a high-severity vulnerability in Google Gson, classified under Deserialization of Untrusted Data. CVSS score: 7.7/10. Published 2022-05-01.
- How severe is CVE-2022-25647?
- High severity. CVSS v3 base score is 7.7 out of 10.
- Is CVE-2022-25647 known to be exploited?
- 22 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.