What is CVE-2023-25581?

CVE-2023-25581 is a vulnerability in Pac4j, classified under Deserialization of Untrusted Data. Published 2024-10-10.

Is CVE-2023-25581 known to be exploited?

2 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Deserialization in Pac4j

CVE-2023-25581

pac4j is a security framework for Java. `pac4j-core` prior to version 4.0.0 is affected by a Java deserialization vulnerability. The vulnerability affects systems that store externally controlled values in attributes of the `UserProfile` c…

Vulnerability class: Insecure Deserialization

EPSS: 0.190 (95.5th percentile) — read the EPSS interpretation.

Affected products

Pac4j — versions < 4.0.0

Weakness classification (CWE)

CWE-502 — Deserialization of Untrusted Data

Public proof-of-concept exploits

References

https://securitylab.github.com/advisories/GHSL-2022-085_pac4j/ (x_refsource_CONFIRM)
https://github.com/frohoff/ysoserial (x_refsource_MISC)
https://github.com/pac4j/pac4j/blob/5834aeb22ad3a4369dfa572be60d7b20f5784a8f/pac4j-core/src/main/java/org/pac4j/core/profile/InternalAttributeHandler.java#L95 (x_refsource_MISC)
https://portswigger.net/web-security/deserialization (x_refsource_MISC)

Frequently asked questions

What is CVE-2023-25581?: CVE-2023-25581 is a vulnerability in Pac4j, classified under Deserialization of Untrusted Data. Published 2024-10-10.
Is CVE-2023-25581 known to be exploited?: 2 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.