What is the severity of GHSA-7c5v-895v-w4q5?

GHSA-7c5v-895v-w4q5 is classified as a medium severity vulnerability due to its potential to allow deserialization of untrusted data.

How do I fix GHSA-7c5v-895v-w4q5?

To fix GHSA-7c5v-895v-w4q5, upgrade io.jooby:jooby-pac4j to version 2.17.0 or 3.7.0.

Which versions are affected by GHSA-7c5v-895v-w4q5?

Versions of io.jooby:jooby-pac4j after 2.x and before 3.x are affected by GHSA-7c5v-895v-w4q5.

What are the workarounds for GHSA-7c5v-895v-w4q5?

Workarounds for GHSA-7c5v-895v-w4q5 include not using io.jooby:jooby-pac4j until patches are applied and checking what values are stored in sessions.

Can GHSA-7c5v-895v-w4q5 lead to data breaches?

Yes, if exploited, GHSA-7c5v-895v-w4q5 could potentially lead to data breaches due to the deserialization of untrusted data.

Vulnerability/
GHSA-7c5v-895v-w4q5

high

8.8

CWE

502

1/4/2025

GHSA-7c5v-895v-w4q5

First published: Tue Apr 01 2025(Updated: )

### Impact Versions after 2.x and before 3.x of io.jooby:jooby-pac4j can cause deserialization of untrusted data ### Patches - 2.17.0 (2.x) - 3.7.0 (3.x) ### Workarounds - Not using io.jooby:jooby-pac4j until it gets patches. - Check what values you put/save on session ### References Version 2.x: https://github.com/jooby-project/jooby/blob/v2.x/modules/jooby-pac4j/src/main/java/io/jooby/internal/pac4j/SessionStoreImpl.java#L39-L45 Version 3.x: https://github.com/jooby-project/jooby/blob/v3.6.1/modules/jooby-pac4j/src/main/java/io/jooby/internal/pac4j/SessionStoreImpl.java#L77-L84 ### Cause In module pac4j io.jooby.internal.pac4j.SessionStoreImpl#get , it is used to handle sessions , and trying to get key value. In strToObject function ,it's trying to deserialize value when value starts with "b64~" , which might cause deserialization of untrusted data. [modules/jooby-pac4j/src/main/java/io/jooby/internal/pac4j/SessionStoreImpl.java](https://github.com/jooby-project/jooby/blob/v3.6.1/modules/jooby-pac4j/src/main/java/io/jooby/internal/pac4j/SessionStoreImpl.java#L77-L84) Here's a small demo using SessionStoreImpl#get to handle sessions ,and user can pass parameters. ![屏幕截图 2025-03-25 051325](https://github.com/user-attachments/assets/93039a06-d4f1-458a-8595-736b3fede345) And following below is exploiting successfully(execute calculator) ![屏幕截图 2025-03-24 015128（1）](https://github.com/user-attachments/assets/415cf20c-dda0-4634-83ae-f8fa89677a16)

Affected Software	Affected Version	How to fix
maven/io.jooby:jooby-pac4j	>=3.0.0.M1<3.7.0	3.7.0
maven/io.jooby:jooby-pac4j	<2.17.0	2.17.0

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of GHSA-7c5v-895v-w4q5?
GHSA-7c5v-895v-w4q5 is classified as a medium severity vulnerability due to its potential to allow deserialization of untrusted data.
How do I fix GHSA-7c5v-895v-w4q5?
To fix GHSA-7c5v-895v-w4q5, upgrade io.jooby:jooby-pac4j to version 2.17.0 or 3.7.0.
Which versions are affected by GHSA-7c5v-895v-w4q5?
Versions of io.jooby:jooby-pac4j after 2.x and before 3.x are affected by GHSA-7c5v-895v-w4q5.
What are the workarounds for GHSA-7c5v-895v-w4q5?
Workarounds for GHSA-7c5v-895v-w4q5 include not using io.jooby:jooby-pac4j until patches are applied and checking what values are stored in sessions.
Can GHSA-7c5v-895v-w4q5 lead to data breaches?
Yes, if exploited, GHSA-7c5v-895v-w4q5 could potentially lead to data breaches due to the deserialization of untrusted data.

collector/github-advisory-latest
source/GitHub
alias/GHSA-7c5v-895v-w4q5
alias/CVE-2025-31129
agent/software-canonical-lookup
agent/weakness
agent/severity
agent/last-modified-date
agent/source
agent/references
agent/softwarecombine
agent/tags
agent/type
agent/description
agent/first-publish-date
agent/event
package-manager/maven