| 제목 | changmingxie tcc-transaction <=2.1.0 Deserialization |
|---|
| 설명 | # Stored Deserialization RCE via Redis → Fastjson AutoType Parse
## Project Information
- **Project:** changmingxie/tcc-transaction
- **Type:** Stored Deserialization RCE (Fastjson AutoType)
- **Severity:** Critical (CVSS 9.8)
- **CWE:** CWE-502 (Deserialization of Untrusted Data)
## Vulnerability Description
tcc-transaction stores transaction data in Redis which is later deserialized using Fastjson with AutoType enabled. An attacker who can write to Redis (via REST API or direct access) can inject a crafted JSON payload that triggers arbitrary class instantiation during deserialization.
## Data Flow
```
REST API → Redis (transaction state) → Fastjson.parseObject() with AutoType → RCE
```
### Write Path
1. TCC transaction participants write transaction state to Redis
2. Transaction data serialized using Fastjson and stored in Redis keys
### Read Path
3. Transaction recovery process reads data from Redis
4. `JSON.parseObject()` or `JSON.parse()` with AutoType support enabled
5. Attacker-controlled @type field causes arbitrary class instantiation
## Authentication
Redis access may be unauthenticated in default deployments.
## Remediation
1. **Disable AutoType**: Set `ParserConfig.getGlobalInstance().setAutoTypeSupport(false)` and use `safeMode`
2. **Type whitelist**: Use explicit type mapping instead of AutoType
3. **Redis authentication**: Require authentication for Redis connections
4. **Network segmentation**: Restrict Redis access to application servers
## References
- CWE-502: Deserialization of Untrusted Data |
|---|
| 원천 | ⚠️ https://github.com/Ku4D3/bug_story/blob/main/report_01.md |
|---|
| 사용자 | Ku4D3 (UID 97639) |
|---|
| 제출 | 2026. 04. 27. PM 12:47 (1 월 ago) |
|---|
| 모더레이션 | 2026. 05. 25. AM 11:37 (28 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 365480 [changmingxie tcc-transaction 까지 2.1.0 Fastjson AutoType REST API Fastjson.parseObject 권한 상승] |
|---|
| 포인트들 | 20 |
|---|