CVE-2022-25647
7.7 HIGHThe package com.google.code.gson:gson before 2.8.9 are vulnerable to Deserialization of Untrusted Data via the writeReplace() method in i...
Published: 2022-05-01 · Last updated: 2024-11-21
Severity and scoring
- CVSS
- 7.7 HIGH
- Vector
- CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H
- CWE
- CWE-502
Affected products
| Vendor | Product |
|---|---|
| debian | active_iq_unified_manager, debian_linux, financial_services_crime_and_compliance_management_studio |
| active_iq_unified_manager, debian_linux, financial_services_crime_and_compliance_management_studio | |
| netapp | active_iq_unified_manager, debian_linux, financial_services_crime_and_compliance_management_studio |
| oracle | active_iq_unified_manager, debian_linux, financial_services_crime_and_compliance_management_studio |
Description
The package com.google.code.gson:gson before 2.8.9 are vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to DoS attacks.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2022-25647
- [Patch]https://github.com/google/gson/pull/1991
- [Patch]https://github.com/google/gson/pull/1991/commits
- [Other]https://lists.debian.org/debian-lts-announce/2022/05/msg00015.html
- [Other]https://lists.debian.org/debian-lts-announce/2022/09/msg00009.html
- [Other]https://security.netapp.com/advisory/ntap-20220901-0009/
- [Other]https://snyk.io/vuln/SNYK-JAVA-COMGOOGLECODEGSON-1730327
- [Other]https://www.debian.org/security/2022/dsa-5227
- [Patch]https://www.oracle.com/security-alerts/cpujul2022.html
- [Patch]https://github.com/google/gson/pull/1991
- [Patch]https://github.com/google/gson/pull/1991/commits
- [Other]https://lists.debian.org/debian-lts-announce/2022/05/msg00015.html
- [Other]https://lists.debian.org/debian-lts-announce/2022/09/msg00009.html
- [Other]https://security.netapp.com/advisory/ntap-20220901-0009/
- [Other]https://snyk.io/vuln/SNYK-JAVA-COMGOOGLECODEGSON-1730327
- [Other]https://www.debian.org/security/2022/dsa-5227
- [Patch]https://www.oracle.com/security-alerts/cpujul2022.html
Related CVEs
Same vendor
- CVE-2026-12035 — Use after free in Views in Google Chrome on Windows prior to 149.0.7827.115 allowed a remote attacker to potentially exploit heap corrupt... (8.8 HIGH)
- CVE-2026-12034 — Insufficient validation of untrusted input in Linux Toolkit Theming in Google Chrome on Linux prior to 149.0.7827.115 allowed a remote at... (8.3 HIGH)
- CVE-2026-12033 — Out of bounds read in VideoCapture in Google Chrome prior to 149.0.7827.115 allowed a remote attacker who had compromised the GPU process... (5.3 MEDIUM)
- CVE-2026-12032 — Inappropriate implementation in Passwords in Google Chrome on Android prior to 149.0.7827.115 allowed a remote attacker who had compromis... (3.1 LOW)
- CVE-2026-12031 — Inappropriate implementation in Views in Google Chrome on Windows prior to 149.0.7827.115 allowed a remote attacker who had compromised t... (8.3 HIGH)
Same CWE
- CVE-2026-48775 — LangGraph SQLite Checkpoint is an implementation of LangGraph CheckpointSaver that uses SQLite DB (both sync and async, via aiosqlite) (6.8 MEDIUM)
- CVE-2026-10748 — An authenticated user with the nx-licensing-create privilege can upload a specially crafted license file to execute arbitrary operating s...
- CVE-2026-24228 — NVIDIA NeMo Framework for Linux contains a vulnerability where an attacker may cause deserialization of untrusted data (7.8 HIGH)
- CVE-2026-48853 — Deserialization of Untrusted Data and Allocation of Resources Without Limits or Throttling vulnerabilities in elixir-grpc grpc allow unau...
- CVE-2026-9691 — Unauthenticated PHP Object Injection in Integration for ActiveCampaign and Contact Form 7, WPForms, Elementor, Ninja Forms <= 1.1.1 versions (9.8 CRITICAL)