| عنوان | changmingxie tcc-transaction <=2.1.0 Deserialization |
|---|
| الوصف | # Stored Deserialization RCE via Redis → Fastjson AutoType Parse
## Project Information
- **Project:** changmingxie/tcc-transaction
- **Type:** Stored Deserialization RCE (Fastjson AutoType)
- **Severity:** Critical (CVSS 9.8)
- **CWE:** CWE-502 (Deserialization of Untrusted Data)
## Vulnerability Description
tcc-transaction stores transaction data in Redis which is later deserialized using Fastjson with AutoType enabled. An attacker who can write to Redis (via REST API or direct access) can inject a crafted JSON payload that triggers arbitrary class instantiation during deserialization.
## Data Flow
```
REST API → Redis (transaction state) → Fastjson.parseObject() with AutoType → RCE
```
### Write Path
1. TCC transaction participants write transaction state to Redis
2. Transaction data serialized using Fastjson and stored in Redis keys
### Read Path
3. Transaction recovery process reads data from Redis
4. `JSON.parseObject()` or `JSON.parse()` with AutoType support enabled
5. Attacker-controlled @type field causes arbitrary class instantiation
## Authentication
Redis access may be unauthenticated in default deployments.
## Remediation
1. **Disable AutoType**: Set `ParserConfig.getGlobalInstance().setAutoTypeSupport(false)` and use `safeMode`
2. **Type whitelist**: Use explicit type mapping instead of AutoType
3. **Redis authentication**: Require authentication for Redis connections
4. **Network segmentation**: Restrict Redis access to application servers
## References
- CWE-502: Deserialization of Untrusted Data |
|---|
| المصدر | ⚠️ https://github.com/Ku4D3/bug_story/blob/main/report_01.md |
|---|
| المستخدم | Ku4D3 (UID 97639) |
|---|
| ارسال | 27/04/2026 12:47 PM (1 شهر منذ) |
|---|
| الاعتدال | 25/05/2026 11:37 AM (28 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 365480 [changmingxie tcc-transaction حتى 2.1.0 Fastjson AutoType REST API Fastjson.parseObject تجاوز الصلاحيات] |
|---|
| النقاط | 20 |
|---|