Wire
CVE-2021-29508
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
Due to how Wire handles type information in its serialization format, malicious payloads can be passed to a deserializer. e.g. using a surrogate on the sender end, an attacker can pass information about a different type for the receiving end. And by doing so allowing the serializer to create any type on the deserializing end. This is the same issue that exists for .NET BinaryFormatter https://docs.microsoft.com/en-us/visualstudio/code-quality/ca2300?view=vs-2019. This also applies to the fork of Wire.
AnalysisAI
Due to how Wire handles type information in its serialization format, malicious payloads can be passed to a deserializer. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Technical ContextAI
This vulnerability is classified as Deserialization of Untrusted Data (CWE-502), which allows attackers to execute arbitrary code through malicious serialized objects. Due to how Wire handles type information in its serialization format, malicious payloads can be passed to a deserializer. e.g. using a surrogate on the sender end, an attacker can pass information about a different type for the receiving end. And by doing so allowing the serializer to create any type on the deserializing end. This is the same issue that exists for .NET BinaryFormatter https://docs.microsoft.com/en-us/visualstudio/code-quality/ca2300?view=vs-2019. This also applies to the fork of Wire. Affected products include: Asynkron Wire.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Avoid deserializing untrusted data. Use safe serialization formats (JSON). Implement integrity checks and type allowlists.
Wire before 2020-10-16 allows remote attackers to cause a denial of service (application crash) or possibly execute arbi
In Wire before 3.20.x, `shell.openExternal` was used without checking the URL. Rated high severity (CVSS 8.0), this vuln
The Wire application before 2018-03-07 for Android allows attackers to write to pathnames outside of the downloads direc
Wire is an open source secure messenger. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,
Wire through 3.22.3993 on Windows advertises deletion of sent messages; nonetheless, all messages can be retrieved (for
wire-server provides back end services for Wire, a team communication and collaboration platform. Rated medium severity
wire-ios is an iOS client for the Wire secure messaging application. Rated medium severity (CVSS 6.5), this vulnerabilit
Wire-ios is a messaging application using the wire protocol on apple's ios platform. Rated medium severity (CVSS 6.5), t
wire-ios is the iOS version of Wire, an open-source secure messaging app. Rated medium severity (CVSS 6.5), this vulnera
wire-ios is the iOS version of Wire, an open-source secure messaging app. Rated medium severity (CVSS 6.5), this vulnera
Wire is an open source secure messenger. Rated medium severity (CVSS 4.6), this vulnerability is no authentication requi
Wire is a collaboration platform. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low atta
Same weakness CWE-502 – Deserialization of Untrusted Data
View allSame technique Deserialization
View allShare
External POC / Exploit Code
Leaving vuln.today