Skip to main content

Deserialization of Untrusted Data


Severity High
Score 7.8/10


In Spring for Apache Kafka a possible deserialization attack vector existed, but only if unusual configuration was applied. An attacker would have to construct a malicious serialized object in one of the deserialization exception record headers. This issue affects versions 2.8.0-M1 though 2.9.10, and 3.0.0-M1 through 3.0.9. Specifically, an application is vulnerable when all of the following are true: * The user does not configure an "ErrorHandlingDeserializer" for the key and/or value of the record * The user explicitly sets container properties "checkDeserExWhenKeyNull" and/or "checkDeserExWhenValueNull" container properties to true. * The user allows untrusted sources to publish to a Kafka topic By default, these properties are false, and the container only attempts to deserialize the headers if an "ErrorHandlingDeserializer" is configured. The "ErrorHandlingDeserializer" prevents the vulnerability by removing any such malicious headers before processing the record.

  • LOW
  • HIGH
  • NONE
  • LOW
  • HIGH
  • HIGH

CWE-502 - Deserialization of Untrusted Data

Deserialization of untrusted data vulnerabilities enable an attacker to replace or manipulate a serialized object, replacing it with malicious data. When the object is deserialized at the victim's end the malicious data is able to compromise the victim’s system. The exploit can be devastating, its impact may range from privilege escalation, broken access control, or denial of service attacks to allowing unauthorized access to the application's internal code and logic which can compromise the entire system.

Advisory Timeline

  • Published