GHSA-4hhg-8ghq-vwq6HighCVSS 8.8

Infinispan: Deserialization of untrusted data in the Hot Rod Java client via automatic byte-array deserialization

Published
May 13, 2022
Last Modified
July 10, 2026

🔗 CVE IDs covered (1)

📋 Description

The hotrod java client in infinispan before 9.1.0.Final automatically deserializes bytearray message contents in certain events. A malicious user could exploit this flaw by injecting a specially-crafted serialized object to attain remote code execution or conduct other attacks.

🎯 Affected products1

  • maven/org.infinispan:infinispan-core:< 9.1.0.Final

🔗 References (8)