Enviar #814092: changmingxie tcc-transaction <=2.1.0 Deserializationinformación

Títulochangmingxie tcc-transaction <=2.1.0 Deserialization
Descripción# Stored Deserialization RCE via Redis → Fastjson AutoType Parse ## Project Information - **Project:** changmingxie/tcc-transaction - **Type:** Stored Deserialization RCE (Fastjson AutoType) - **Severity:** Critical (CVSS 9.8) - **CWE:** CWE-502 (Deserialization of Untrusted Data) ## Vulnerability Description tcc-transaction stores transaction data in Redis which is later deserialized using Fastjson with AutoType enabled. An attacker who can write to Redis (via REST API or direct access) can inject a crafted JSON payload that triggers arbitrary class instantiation during deserialization. ## Data Flow ``` REST API → Redis (transaction state) → Fastjson.parseObject() with AutoType → RCE ``` ### Write Path 1. TCC transaction participants write transaction state to Redis 2. Transaction data serialized using Fastjson and stored in Redis keys ### Read Path 3. Transaction recovery process reads data from Redis 4. `JSON.parseObject()` or `JSON.parse()` with AutoType support enabled 5. Attacker-controlled @type field causes arbitrary class instantiation ## Authentication Redis access may be unauthenticated in default deployments. ## Remediation 1. **Disable AutoType**: Set `ParserConfig.getGlobalInstance().setAutoTypeSupport(false)` and use `safeMode` 2. **Type whitelist**: Use explicit type mapping instead of AutoType 3. **Redis authentication**: Require authentication for Redis connections 4. **Network segmentation**: Restrict Redis access to application servers ## References - CWE-502: Deserialization of Untrusted Data
Fuente⚠️ https://github.com/Ku4D3/bug_story/blob/main/report_01.md
Usuario
 Ku4D3 (UID 97639)
Sumisión2026-04-27 12:47 (hace 1 mes)
Moderación2026-05-25 11:37 (28 days later)
EstadoAceptado
Entrada de VulDB365480 [changmingxie tcc-transaction hasta 2.1.0 Fastjson AutoType REST API Fastjson.parseObject escalada de privilegios]
Puntos20

AnteriorVisión De ConjuntoPróximo

Do you know our Splunk app?

Download it now for free!