Gson
CVE-2022-25647
HIGH
Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H
Lifecycle Timeline
1Blast Radius
ecosystem impact- 14,373 maven packages depend on com.google.code.gson:gson (2,344 direct, 12,107 indirect)
Ecosystem-wide dependent count for version 2.8.9.
DescriptionCVE.org
The package com.google.code.gson:gson before 2.8.9 are vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to DoS attacks.
AnalysisAI
The package com.google.code.gson:gson before 2.8.9 are vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to DoS attacks. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no authentication required.
Technical ContextAI
This vulnerability is classified as Deserialization of Untrusted Data (CWE-502), which allows attackers to execute arbitrary code through malicious serialized objects. The package com.google.code.gson:gson before 2.8.9 are vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to DoS attacks. Affected products include: Google Gson, Debian Debian Linux, Netapp Active Iq Unified Manager, Oracle Financial Services Crime And Compliance Management Studio, Oracle Graalvm. Version information: before 2.8.9.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Avoid deserializing untrusted data. Use safe serialization formats (JSON). Implement integrity checks and type allowlists.
Same weakness CWE-502 – Deserialization of Untrusted Data
View allSame technique Deserialization
View allShare
External POC / Exploit Code
Leaving vuln.today