| Title | Nutz Framework NutzBoot 2.6.0-SNAPSHOT Code Execution (Unauthenticated Java Deserialization) |
|---|
| Description | An exposed LiteRPC HTTP endpoint allows arbitrary deserialization of attacker‑controlled data. The server expects the following headers: LiteRpc-Klass, LiteRpc-Method, and LiteRpc-Serializer. If all three are present, the endpoint looks up the serializer by name and blindly calls serializer.read(req.getInputStream()), trusting the client-provided serializer (HttpServletRpcEndpoint.java:47-110).
LiteRPC registers JdkRpcSerializer by default, and that serializer is chosen whenever the client sets LiteRpc-Serializer: jdk. The serializer wraps the request body in ObjectInputStream and invokes readObject() (lines 18-28). No filtering occurs before object graph creation, so any gadget chain available on the classpath can be triggered.
Service discovery through Loach amplifies the issue: /loach/v1/list and /loach/v1/list/forlook expose the LiteRpc.RPC_REG_KEY metadata that contains every registered RPC interface with its hashed method signatures. Therefore, an attacker can enumerate valid values for LiteRpc-Klass and LiteRpc-Method without guessing, guaranteeing that the invocation will reach a real RpcInvoker and the deserialization code path will execute.
Because neither /literpc/endpoint nor the Loach list endpoints enforce authentication or network restrictions in code, this becomes a pre-authentication remote code execution vulnerability. |
|---|
| Source | ⚠️ https://github.com/Xzzz111/exps/blob/main/archives/nutzboot-RCE-1/report.md |
|---|
| User | sh7err03 (UID 92418) |
|---|
| Submission | 11/10/2025 11:15 (7 months ago) |
|---|
| Moderation | 11/30/2025 15:13 (20 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 333815 [nutzam NutzBoot up to 2.6.0-SNAPSHOT LiteRpc-Serializer HttpServletRpcEndpoint.java getInputStream deserialization] |
|---|
| Points | 20 |
|---|