Critical vulnerability reported in Java security framework pac4j
Take action: Updating a framework is always good, but it may bring breaking changes. Review the advisories in detail for any exploit scenario if you are using pac4j, and if at all possible update the library.
Learn More
A critical security vulnerability is discovered in the popular Java security framework pac4j enabling remote code execution (RCE).
The vulnerability, tracked as CVE-2023-25581 (CVSS score 9.8) stems from a flaw in the deserialization process within the InternalAttributeHandler class of pac4j-core. This vulnerability allows attackers to exploit systems that store externally controlled values in attributes of the UserProfile class. Attackers can supply a malicious attribute containing a serialized Java object prefixed with {#sb64} and Base64 encoded, which triggers the deserialization of arbitrary Java classes. This can lead to RCE, enabling malicious actors to execute arbitrary code on the affected systems.
Exploiting this flaw could enable attackers to take control of the affected system, execute arbitrary code, and compromise critical systems. Pac4j-core versions prior to 4.0 are vulnerable to this issue.
The vulnerability was reported to the pac4j development team by Michael Stepankin from GitHub Security Lab (GHSL) on February 2, 2023. The pac4j team responded by releasing a patch on February 14, 2023, with the release of pac4j-core version 4.0, which addresses the flaw.
Users are strongly advised to upgrade to version 4.0 or later to mitigate the risk of exploitation. There are no known workarounds for this issue, making the upgrade essential.
