| Titel | github.com/dromara/Sa-Token Sa-Token <=1.44.0 Deserialization |
|---|
| Beschreibung | Vulnerable Components:
sa-token-starter: sa-token-jboot-plugin and sa-token-jfinal-plugin (JDK Native Serialization)
sa-token-jackson (Jackson Polymorphic Deserialization)
Optional: If SaManager is configured to use sa-token-fastjson/fastjson2, related Fastjson paths.
Vulnerability Type:
Insecure Deserialization (Potential Remote Code Execution - RCE, depending on runtime classpath and external controllability)
Affected Files and Call Chain (Precise Identification):
JDK Native Deserialization (High Risk)
SaJdkSerializer.java
Method: deserialize(byte[] bytes) → ObjectInputStream.readObject()
Called By: SaTokenCacheDao.java initializing this.serializer = new SaJdkSerializer()
Typical Use: Jboot cache/session object serialization and deserialization process.
SaJdkSerializer.java
Method: valueFromBytes(byte[] bytes) → ObjectInputStream.readObject()
Called By: SaTokenDaoRedis.java initializing serializer = new SaJdkSerializer()
Typical Use: JFinal Redis DAO value/field serialization reading.
Jackson Polymorphic Deserialization (Medium-High Risk)
SaJsonTemplateForJackson.java
Enabled in Constructor: objectMapper.activateDefaultTyping(ptv, ObjectMapper.DefaultTyping.NON_FINAL, JsonTypeInfo.As.PROPERTY)
Deserialization Method: jsonToObject(String jsonStr, Class<T> type) → objectMapper.readValue(jsonStr, type)
Binding Location: SaTokenPluginForJackson.java (enabled through SaManager.setSaJsonTemplate(new SaJsonTemplateForJackson())).
Fastjson/Fastjson2 (Depends on Deployment/Plugin Choice)
SaJsonTemplateForFastjson.java and SaJsonTemplateForFastjson2.java
Deserialization Method: JSON.parseObject(jsonStr, type)
Risk level depends on whether autoType is allowed or unsafe data is being used.
Exploitation Scenarios (When RCE may occur):
General Preconditions (JDK Deserialization):
Condition A: Attacker can cause arbitrary or specific serialized byte streams to be written and subsequently read by the system (e.g., writing to cache/Redis via HTTP request; or injecting data in a shared Redis environment across multiple applications).
Condition B: The runtime classpath contains exploitable gadget classes (those that trigger arbitrary command execution) or custom classes that can be abused (allowing dangerous actions during deserialization).
If both A and B are satisfied, theoretically RCE can be triggered.
If only A is satisfied but B is not, arbitrary object creation may occur, potentially leading to logic errors, information leaks, or DoS (Denial of Service).
Jackson Polymorphic Deserialization (activateDefaultTyping):
Condition A: Attacker can submit JSON with @class (or Jackson-specific type identifiers) to be parsed by jsonToObject (e.g., via external HTTP Body, message queue messages, or deserialization of externally provided configuration).
Condition B: Classpath contains exploitable gadgets, or allowed types include unsafe types (since PolymorphicTypeValidator in this implementation uses allowIfSubType(Object.class), almost equivalent to allowing all types).
If both A and B are satisfied, RCE or arbitrary logic execution may occur.
Fastjson / Fastjson2:
Condition A: External JSON reaches JSON.parseObject, and the library/configuration allows autoType or parses into unsafe types.
Condition B: Exploitable gadget is present.
Risk depends on the version of Fastjson and autoType configuration. Modern Fastjson2 versions have stricter defaults but still require verification.
Proof of Concept:
JDK Deserialization:
ObjectInputStream.readObject() is a typical deserialization entry point, and without setting ObjectInputFilter or using a type whitelist/validation, it is vulnerable. This project’s two serializers directly read bytes and deserialize them, which can be called in common cache/Redis DAO scenarios where data can be written externally and later read.
Jackson:
The project actively enables activateDefaultTyping and uses a lenient PolymorphicTypeValidator, which from a configuration perspective is a high-risk approach (it allows JSON to contain type information and perform polymorphic deserialization). The project uses a clean mapObjectMapper for maps, but jsonToObject still uses the typing-enabled mapper.
Fastjson:
Code calls JSON.parseObject, requiring confirmation if autoType is enabled or loosened in the runtime environment.
Impact Scope:
Any deployment using the default JDK serializer for cache/Redis serialization is at high risk if the cached data can be written by an untrusted source.
Modules using the Jackson plugin and accepting external JSON (e.g., when SaManager is configured for Jackson to parse external requests/messages) are at high risk.
The risk with the Fastjson plugin depends on the version and actual configuration. |
|---|
| Quelle | ⚠️ https://github.com/Yohane-Mashiro/Sa-Token-cve |
|---|
| Benutzer | Yohane-Mashiro (UID 92825) |
|---|
| Einreichung | 10.12.2025 12:03 (vor 4 Monaten) |
|---|
| Moderieren | 27.12.2025 09:45 (17 days later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 338495 [Dromara Sa-Token bis 1.44.0 SaJdkSerializer.java ObjectInputStream.readObject erweiterte Rechte] |
|---|
| Punkte | 20 |
|---|