| Título | WVP PRO wvp-GB28181-pro 2.7.4 Deserialization |
|---|
| Descripción | The application's Redis template configuration (`RedisTemplateConfig.java`) uses `GenericFastJsonRedisSerializer` from FastJSON 2.x as the global serializer for Redis value operations. This serializer enables `JSONReader.Feature.SupportAutoType` by default, which allows arbitrary class instantiation during deserialization based on the `@type` field in JSON data.
An attacker can exploit this by:
1. Writing malicious JSON containing a `@type` annotation to Redis (via any API endpoint that stores data in Redis)
2. Waiting for any service to read from the affected Redis key
3. Triggering automatic deserialization that instantiates the attacker-specified class
4. Achieving remote code execution through known FastJSON gadget chains
This is a critical framework-level vulnerability because the unsafe configuration is global, affecting all Redis operations throughout the application.
|
|---|
| Fuente | ⚠️ https://github.com/wing3e/public_exp/issues/1 |
|---|
| Usuario | Winegee (UID 96308) |
|---|
| Sumisión | 2026-03-10 11:32 (hace 26 días) |
|---|
| Moderación | 2026-03-25 17:28 (15 days later) |
|---|
| Estado | Aceptado |
|---|
| Entrada de VulDB | 353191 [648540858 wvp-GB28181-pro hasta 2.7.4 API Endpoint RedisTemplateConfig.java GenericFastJsonRedisSerializer escalada de privilegios] |
|---|
| Puntos | 20 |
|---|