CWE-502
AllowedDeserialization of Untrusted Data
Abstraction: Base · Status: Draft
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
4802 vulnerabilities reference this CWE, most recent first.
GHSA-QHGJ-87JJ-53VH
Vulnerability from github – Published: 2022-05-13 01:24 – Updated: 2025-04-20 03:46ERS Data System 1.8.1.0 allows remote attackers to execute arbitrary code, related to "com.branaghgroup.ecers.update.UpdateRequest" object deserialization.
{
"affected": [],
"aliases": [
"CVE-2017-14702"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-09-30T01:29:00Z",
"severity": "CRITICAL"
},
"details": "ERS Data System 1.8.1.0 allows remote attackers to execute arbitrary code, related to \"com.branaghgroup.ecers.update.UpdateRequest\" object deserialization.",
"id": "GHSA-qhgj-87jj-53vh",
"modified": "2025-04-20T03:46:06Z",
"published": "2022-05-13T01:24:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-14702"
},
{
"type": "WEB",
"url": "https://github.com/wshepherd0010/advisories/blob/master/CVE-2017-14702.md"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/42952"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QHMF-XW27-6RQR
Vulnerability from github – Published: 2026-06-25 21:31 – Updated: 2026-06-25 21:31Summary
MessagePack-CSharp's typeless deserialization includes MessagePackSerializerOptions.ThrowIfDeserializingTypeIsDisallowed(Type) as a safety check for dangerous types. The default implementation checks the outer type name, but it does not recursively inspect array element types or generic type arguments.
As a result, a type that would be blocked directly can be wrapped inside an array or constructed generic type and pass the outer type check. The formatter machinery can then materialize formatters for the inner blocked type.
Impact
Applications are affected when they deserialize untrusted payloads using typeless serialization features such as MessagePackSerializer.Typeless, TypelessObjectResolver, or related typeless resolver options.
Typeless deserialization is already a high-risk feature for untrusted data, but the presence of a disallowed-type hook creates an expectation that blocked types remain blocked. This issue weakens that mitigation because the check is not applied structurally to nested type components. An attacker who can supply typeless ext-100 payloads may bypass exact outer-type blocklist checks by naming wrapper types such as arrays or generic containers.
The consequence depends on which type is reached and what the application allows typeless deserialization to instantiate. The original findings describe bypasses involving blocked or user-blocklisted gadget types.
Affected components
- Package:
MessagePack - Feature: typeless deserialization
- APIs:
MessagePackSerializerOptions.ThrowIfDeserializingTypeIsDisallowed,TypelessFormatter - Finding IDs:
MESSAGEPACKCSHARP-030, duplicate/open variantMESSAGEPACKCSHARP-OPEN-007
Patches
Fixes are available via versions 2.5.301 and 3.1.7.
Upgrade guidance:
- Upgrade
MessagePackto the patched version for your release line. - Upgrade companion MessagePack packages in the same dependency graph to the coordinated patched versions.
The fix should apply type-disallow checks recursively to array element types, pointer/byref element types where applicable, nullable underlying types, and constructed generic type arguments. Formatter paths that materialize types supplied by the wire should not instantiate inner types that fail the configured policy.
Workarounds
Patching is recommended.
Avoid typeless deserialization for untrusted data. If typeless support is unavoidable, configure an explicit allowlist that rejects any type not approved by the application and ensure the allowlist recursively validates array elements and generic arguments. Do not rely on exact outer-type blocklists as a complete security boundary.
Resources
MESSAGEPACKCSHARP-030: typeless disallowed-type check is not recursiveMESSAGEPACKCSHARP-OPEN-007: duplicate/open finding for typeless blocklist gaps- CWE-502: Deserialization of Untrusted Data
- CWE-470: Use of Externally-Controlled Input to Select Classes or Code
CVE split rationale
This vulnerability is independently fixable in typeless type-policy enforcement. It is separate from MVC default options, collection allocation, LZ4 decoding, and recursion-depth issues.
{
"affected": [
{
"package": {
"ecosystem": "NuGet",
"name": "MessagePack"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.5.301"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "MessagePack"
},
"ranges": [
{
"events": [
{
"introduced": "3.0"
},
{
"fixed": "3.1.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-48517"
],
"database_specific": {
"cwe_ids": [
"CWE-470",
"CWE-502"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-25T21:31:13Z",
"nvd_published_at": "2026-06-22T22:16:48Z",
"severity": "MODERATE"
},
"details": "## Summary\n\nMessagePack-CSharp\u0027s typeless deserialization includes `MessagePackSerializerOptions.ThrowIfDeserializingTypeIsDisallowed(Type)` as a safety check for dangerous types. The default implementation checks the outer type name, but it does not recursively inspect array element types or generic type arguments.\n\nAs a result, a type that would be blocked directly can be wrapped inside an array or constructed generic type and pass the outer type check. The formatter machinery can then materialize formatters for the inner blocked type.\n\n## Impact\n\nApplications are affected when they deserialize untrusted payloads using typeless serialization features such as `MessagePackSerializer.Typeless`, `TypelessObjectResolver`, or related typeless resolver options.\n\nTypeless deserialization is already a high-risk feature for untrusted data, but the presence of a disallowed-type hook creates an expectation that blocked types remain blocked. This issue weakens that mitigation because the check is not applied structurally to nested type components. An attacker who can supply typeless ext-100 payloads may bypass exact outer-type blocklist checks by naming wrapper types such as arrays or generic containers.\n\nThe consequence depends on which type is reached and what the application allows typeless deserialization to instantiate. The original findings describe bypasses involving blocked or user-blocklisted gadget types.\n\n## Affected components\n\n- Package: `MessagePack`\n- Feature: typeless deserialization\n- APIs: `MessagePackSerializerOptions.ThrowIfDeserializingTypeIsDisallowed`, `TypelessFormatter`\n- Finding IDs: `MESSAGEPACKCSHARP-030`, duplicate/open variant `MESSAGEPACKCSHARP-OPEN-007`\n\n## Patches\n\nFixes are available via versions 2.5.301 and 3.1.7.\n\nUpgrade guidance:\n\n1. Upgrade `MessagePack` to the patched version for your release line.\n2. Upgrade companion MessagePack packages in the same dependency graph to the coordinated patched versions.\n\nThe fix should apply type-disallow checks recursively to array element types, pointer/byref element types where applicable, nullable underlying types, and constructed generic type arguments. Formatter paths that materialize types supplied by the wire should not instantiate inner types that fail the configured policy.\n\n## Workarounds\n\nPatching is recommended.\n\nAvoid typeless deserialization for untrusted data. If typeless support is unavoidable, configure an explicit allowlist that rejects any type not approved by the application and ensure the allowlist recursively validates array elements and generic arguments. Do not rely on exact outer-type blocklists as a complete security boundary.\n\n## Resources\n\n- `MESSAGEPACKCSHARP-030`: typeless disallowed-type check is not recursive\n- `MESSAGEPACKCSHARP-OPEN-007`: duplicate/open finding for typeless blocklist gaps\n- CWE-502: Deserialization of Untrusted Data\n- CWE-470: Use of Externally-Controlled Input to Select Classes or Code\n\n## CVE split rationale\n\nThis vulnerability is independently fixable in typeless type-policy enforcement. It is separate from MVC default options, collection allocation, LZ4 decoding, and recursion-depth issues.",
"id": "GHSA-qhmf-xw27-6rqr",
"modified": "2026-06-25T21:31:13Z",
"published": "2026-06-25T21:31:13Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/MessagePack-CSharp/MessagePack-CSharp/security/advisories/GHSA-qhmf-xw27-6rqr"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48517"
},
{
"type": "PACKAGE",
"url": "https://github.com/MessagePack-CSharp/MessagePack-CSharp"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "MessagePack-CSharp: Typeless deserialization type restrictions do not recurse into arrays or generic arguments"
}
GHSA-QHMW-M62M-P9XH
Vulnerability from github – Published: 2022-05-13 01:19 – Updated: 2022-05-13 01:19In Pydio before 8.2.2, an attack is possible via PHP Object Injection because a user is allowed to use the $phpserial$a:0:{} syntax to store a preference. An attacker either needs a "public link" of a file, or access to any unprivileged user account for creation of such a link.
{
"affected": [],
"aliases": [
"CVE-2018-20718"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-01-15T16:29:00Z",
"severity": "CRITICAL"
},
"details": "In Pydio before 8.2.2, an attack is possible via PHP Object Injection because a user is allowed to use the $phpserial$a:0:{} syntax to store a preference. An attacker either needs a \"public link\" of a file, or access to any unprivileged user account for creation of such a link.",
"id": "GHSA-qhmw-m62m-p9xh",
"modified": "2022-05-13T01:19:56Z",
"published": "2022-05-13T01:19:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-20718"
},
{
"type": "WEB",
"url": "https://blog.ripstech.com/2018/pydio-unauthenticated-remote-code-execution"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QHRQ-52QX-58FX
Vulnerability from github – Published: 2024-10-17 18:31 – Updated: 2026-04-01 18:32Deserialization of Untrusted Data vulnerability in Scott Olson My Reading Library allows Object Injection.This issue affects My Reading Library: from n/a through 1.0.
{
"affected": [],
"aliases": [
"CVE-2024-49318"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-17T18:15:15Z",
"severity": "CRITICAL"
},
"details": "Deserialization of Untrusted Data vulnerability in Scott Olson My Reading Library allows Object Injection.This issue affects My Reading Library: from n/a through 1.0.",
"id": "GHSA-qhrq-52qx-58fx",
"modified": "2026-04-01T18:32:03Z",
"published": "2024-10-17T18:31:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49318"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Plugin/my-reading-library/vulnerability/wordpress-my-reading-library-plugin-1-0-php-object-injection-vulnerability?_s_id=cve"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/my-reading-library/wordpress-my-reading-library-plugin-1-0-php-object-injection-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QHRX-HCM6-PMRW
Vulnerability from github – Published: 2019-12-02 18:12 – Updated: 2025-05-29 22:52An issue was discovered in SmtpTransport in CakePHP 3.7.6. An unserialized object with modified internal properties can trigger arbitrary file overwriting upon destruction.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "cakephp/cakephp"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0"
},
{
"fixed": "3.5.18"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "cakephp/cakephp"
},
"ranges": [
{
"events": [
{
"introduced": "3.6.0"
},
{
"fixed": "3.6.15"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "cakephp/cakephp"
},
"ranges": [
{
"events": [
{
"introduced": "3.7.0"
},
{
"fixed": "3.7.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-11458"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": true,
"github_reviewed_at": "2019-12-02T00:51:02Z",
"nvd_published_at": "2019-05-08T18:29:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in SmtpTransport in CakePHP 3.7.6. An unserialized object with modified internal properties can trigger arbitrary file overwriting upon destruction.",
"id": "GHSA-qhrx-hcm6-pmrw",
"modified": "2025-05-29T22:52:21Z",
"published": "2019-12-02T18:12:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11458"
},
{
"type": "WEB",
"url": "https://github.com/cakephp/cakephp/commit/1a74e798309192a9895c9cedabd714ceee345f4e"
},
{
"type": "WEB",
"url": "https://github.com/cakephp/cakephp/commit/81412fbe2cb88a304dbeeece1955bc0aec98edb1"
},
{
"type": "WEB",
"url": "https://github.com/cakephp/cakephp/commit/c25b91bf7c72db43c01b47a634fd02112ff9f1cd"
},
{
"type": "WEB",
"url": "https://bakery.cakephp.org/2019/04/23/cakephp_377_3615_3518_released.html"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/cakephp/cakephp/CVE-2019-11458.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/cakephp/cakephp"
},
{
"type": "WEB",
"url": "https://github.com/cakephp/cakephp/commits/master"
},
{
"type": "WEB",
"url": "https://github.com/cakephp/cakephp/compare/3.7.6...3.7.7"
},
{
"type": "WEB",
"url": "https://github.com/cakephp/cakephp/releases"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Unsafe deserialization in SmtpTransport in CakePHP"
}
GHSA-QHV7-VR66-J5FF
Vulnerability from github – Published: 2024-06-19 12:31 – Updated: 2024-06-19 12:31Deserialization of Untrusted Data vulnerability in Live Composer Team Page Builder: Live Composer.This issue affects Page Builder: Live Composer: from n/a through 1.5.42.
{
"affected": [],
"aliases": [
"CVE-2024-35780"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-19T11:15:51Z",
"severity": "HIGH"
},
"details": "Deserialization of Untrusted Data vulnerability in Live Composer Team Page Builder: Live Composer.This issue affects Page Builder: Live Composer: from n/a through 1.5.42.",
"id": "GHSA-qhv7-vr66-j5ff",
"modified": "2024-06-19T12:31:21Z",
"published": "2024-06-19T12:31:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35780"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/live-composer-page-builder/wordpress-page-builder-live-composer-plugin-1-5-42-contributor-php-object-injection-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QHVF-58CR-6VQ3
Vulnerability from github – Published: 2021-12-08 00:01 – Updated: 2021-12-09 00:01A deserialization of untrusted data vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to perform arbitrary code execution.
{
"affected": [],
"aliases": [
"CVE-2021-42130"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-12-07T14:15:00Z",
"severity": "HIGH"
},
"details": "A deserialization of untrusted data vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to perform arbitrary code execution.",
"id": "GHSA-qhvf-58cr-6vq3",
"modified": "2021-12-09T00:01:43Z",
"published": "2021-12-08T00:01:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42130"
},
{
"type": "WEB",
"url": "https://forums.ivanti.com/s/article/Security-Alert-CVE-s-Addressed-in-Avalanche-6-3-3"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-QJ2W-MW2R-PV39
Vulnerability from github – Published: 2022-05-14 01:01 – Updated: 2023-03-10 02:36RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Deserialization of Untrusted Data vulnerability in owner command that can result in code execution. This attack requires the victim to run the gem owner command on a gem with a specially crafted YAML file. This vulnerability is fixed in 2.7.6.
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "rubygems-update"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.7.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.jruby:jruby-stdlib"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.1.16.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2018-1000074"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": true,
"github_reviewed_at": "2023-03-10T02:36:47Z",
"nvd_published_at": "2018-03-13T15:29:00Z",
"severity": "HIGH"
},
"details": "RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Deserialization of Untrusted Data vulnerability in owner command that can result in code execution. This attack requires the victim to run the `gem owner` command on a gem with a specially crafted YAML file. This vulnerability is fixed in 2.7.6.",
"id": "GHSA-qj2w-mw2r-pv39",
"modified": "2023-03-10T02:36:47Z",
"published": "2022-05-14T01:01:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000074"
},
{
"type": "WEB",
"url": "https://github.com/jruby/jruby/commit/0b06b48ab4432237ce5fc1bef47f2c6bcf7843f7"
},
{
"type": "WEB",
"url": "https://github.com/rubygems/rubygems/commit/254e3d0ee873c008c0b74e8b8abcbdab4caa0a6d"
},
{
"type": "WEB",
"url": "https://github.com/rubygems/rubygems/commit/5971b486d4dbb2bad5d3445b3801c456eb0ce183"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2018/dsa-4259"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2018/dsa-4219"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3685-1"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3621-2"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3621-1"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2019/05/msg00028.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2018/08/msg00028.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2018/04/msg00017.html"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2020:0663"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2020:0591"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2020:0542"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:2028"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:3731"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:3730"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:3729"
},
{
"type": "WEB",
"url": "http://blog.rubygems.org/2018/02/15/2.7.6-released.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "RubyGems Deserialization of Untrusted Data vulnerability"
}
GHSA-QJJJ-7G7H-54V3
Vulnerability from github – Published: 2022-09-16 00:00 – Updated: 2022-09-16 21:28ThinkPHP v6.0.13 was discovered to contain a deserialization vulnerability via the component League\Flysystem\Cached\Storage\Psr6Cache. This vulnerability allows attackers to execute arbitrary code via a crafted payload.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "topthink/framework"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "6.0.13"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-38352"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": true,
"github_reviewed_at": "2022-09-16T21:28:29Z",
"nvd_published_at": "2022-09-15T02:15:00Z",
"severity": "CRITICAL"
},
"details": "ThinkPHP v6.0.13 was discovered to contain a deserialization vulnerability via the component `League\\Flysystem\\Cached\\Storage\\Psr6Cache`. This vulnerability allows attackers to execute arbitrary code via a crafted payload.",
"id": "GHSA-qjjj-7g7h-54v3",
"modified": "2022-09-16T21:28:29Z",
"published": "2022-09-16T00:00:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38352"
},
{
"type": "WEB",
"url": "https://github.com/top-think/framework/issues/2749"
},
{
"type": "PACKAGE",
"url": "https://github.com/top-think/framework"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "ThinkPHP deserialization vulnerability"
}
GHSA-QJM3-CVP9-3JJ3
Vulnerability from github – Published: 2026-01-07 21:31 – Updated: 2026-01-08 17:45Bio-Formats versions up to and including 8.3.0 perform unsafe Java deserialization of attacker-controlled memoization cache files (.bfmemo) during image processing. The loci.formats.Memoizer class automatically loads and deserializes memo files associated with images without validation, integrity checks, or trust enforcement. An attacker who can supply a crafted .bfmemo file alongside an image can trigger deserialization of untrusted data, which may result in denial of service, logic manipulation, or potentially remote code execution in environments where suitable gadget chains are present on the classpath.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "ome:pom-bio-formats"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "8.3.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-22187"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": true,
"github_reviewed_at": "2026-01-08T17:45:48Z",
"nvd_published_at": "2026-01-07T21:16:02Z",
"severity": "MODERATE"
},
"details": "Bio-Formats versions up to and including 8.3.0 perform unsafe Java deserialization of attacker-controlled memoization cache files (.bfmemo) during image processing. The loci.formats.Memoizer class automatically loads and deserializes memo files associated with images without validation, integrity checks, or trust enforcement. An attacker who can supply a crafted .bfmemo file alongside an image can trigger deserialization of untrusted data, which may result in denial of service, logic manipulation, or potentially remote code execution in environments where suitable gadget chains are present on the classpath.",
"id": "GHSA-qjm3-cvp9-3jj3",
"modified": "2026-01-08T17:45:48Z",
"published": "2026-01-07T21:31:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22187"
},
{
"type": "WEB",
"url": "https://docs.openmicroscopy.org/bio-formats"
},
{
"type": "PACKAGE",
"url": "https://github.com/ome/bioformats"
},
{
"type": "WEB",
"url": "https://seclists.org/fulldisclosure/2026/Jan/7"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/bio-formats-memoizer-unsafe-deserialization-via-bfmemo-cache-files"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Bio-Formats performs unsafe Java deserialization of attacker-controlled memoization cache files (.bfmemo) during image processing"
}
Mitigation
If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.
Mitigation
When deserializing data, populate a new object rather than just deserializing. The result is that the data flows through safe input validation and that the functions are safe.
Mitigation
Explicitly define a final object() to prevent deserialization.
Mitigation
- Make fields transient to protect them from deserialization.
- An attempt to serialize and then deserialize a class containing transient fields will result in NULLs where the transient data should be. This is an excellent way to prevent time, environment-based, or sensitive variables from being carried over and used improperly.
Mitigation
Avoid having unnecessary types or gadgets (a sequence of instances and method invocations that can self-execute during the deserialization process, often found in libraries) available that can be leveraged for malicious ends. This limits the potential for unintended or unauthorized types and gadgets to be leveraged by the attacker. Add only acceptable classes to an allowlist. Note: new gadgets are constantly being discovered, so this alone is not a sufficient mitigation.
Mitigation
Employ cryptography of the data or code for protection. However, it's important to note that it would still be client-side security. This is risky because if the client is compromised then the security implemented on the client (the cryptography) can be bypassed.
Mitigation MIT-29
Strategy: Firewall
Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].
CAPEC-586: Object Injection
An adversary attempts to exploit an application by injecting additional, malicious content during its processing of serialized objects. Developers leverage serialization in order to convert data or state into a static, binary format for saving to disk or transferring over a network. These objects are then deserialized when needed to recover the data/state. By injecting a malformed object into a vulnerable application, an adversary can potentially compromise the application by manipulating the deserialization process. This can result in a number of unwanted outcomes, including remote code execution.