EUVD-2025-199949
GHSA-fgmj-6h3v-4q56
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
4Tags
Description
A weakness has been identified in nutzam NutzBoot up to 2.6.0-SNAPSHOT. This affects the function getInputStream of the file nutzcloud/nutzcloud-literpc/src/main/java/org/nutz/boot/starter/literpc/impl/endpoint/http/HttpServletRpcEndpoint.java of the component LiteRpc-Serializer. Executing a manipulation can lead to deserialization. The attack may be launched remotely. This attack is characterized by high complexity. The exploitability is reported as difficult. The exploit has been made available to the public and could be used for attacks.
Analysis
A weakness has been identified in nutzam NutzBoot up to 2.6.0-SNAPSHOT. This affects the function getInputStream of the file nutzcloud/nutzcloud-literpc/src/main/java/org/nutz/boot/starter/literpc/impl/endpoint/http/HttpServletRpcEndpoint.java of the component LiteRpc-Serializer. Executing a manipulation can lead to deserialization. The attack may be launched remotely. This attack is characterized by high complexity. The exploitability is reported as difficult. The exploit has been made available to the public and could be used for attacks.
Technical Context
Insecure deserialization occurs when untrusted data is used to reconstruct objects, allowing attackers to manipulate serialized data to execute arbitrary code. This vulnerability is classified as Improper Input Validation (CWE-20).
Remediation
Avoid deserializing untrusted data. Use safe serialization formats (JSON instead of native serialization). Implement integrity checks on serialized data.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today