CVE-2016-4437 in Shiro
Summary
by MITRE
Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 04/23/2026
Apache Shiro versions prior to 1.2.5 contain a critical security vulnerability in the "remember me" feature implementation that creates a remote code execution and access control bypass vector. The vulnerability stems from the absence of proper validation and sanitization of request parameters when the cipher key is not explicitly configured, allowing attackers to manipulate the authentication flow through crafted input data. This flaw exists within the framework's session management and authentication mechanisms, specifically targeting the remember me functionality that is commonly used to maintain user sessions across browser restarts.
The technical root cause of this vulnerability lies in the improper handling of serialized objects within the remember me cookie mechanism. When no explicit cipher key is configured, Shiro defaults to using a weak or hardcoded key that can be exploited by attackers to craft malicious requests. The vulnerability is classified under CWE-20 as improper input validation and CWE-502 as deserialization of untrusted data. Attackers can leverage this weakness by manipulating the remember me cookie value to inject malicious serialized objects that will be deserialized by the application server, leading to arbitrary code execution on the target system.
The operational impact of this vulnerability is severe as it allows remote attackers to bypass authentication mechanisms entirely or execute arbitrary code on affected systems. The vulnerability affects applications that rely on Apache Shiro for authentication and session management, particularly those implementing the remember me feature without proper cryptographic key configuration. This creates a significant risk for web applications where attackers can escalate privileges, access restricted resources, or gain complete control over the application server. The attack surface is broad as any application using Shiro versions before 1.2.5 with remember me functionality enabled is potentially vulnerable.
Mitigation strategies for this vulnerability include upgrading to Apache Shiro version 1.2.5 or later, which includes proper cryptographic key handling and validation mechanisms for the remember me feature. Organizations should implement explicit cipher key configuration for all remember me implementations and ensure that cryptographic keys are properly managed and rotated. The fix addresses the underlying deserialization vulnerability through proper input validation and secure key management practices. Additionally, implementing network-level protections such as web application firewalls and monitoring for suspicious cookie manipulation patterns can provide additional defense in depth. This vulnerability aligns with ATT&CK technique T1210 for exploitation of remote services and T1078 for valid accounts usage, emphasizing the need for proper session management and authentication hardening measures.