Vulnerability	Vulnerable Version
C Deserialization of Untrusted Data Affected versions of this package are vulnerable to Deserialization of Untrusted Data when the `Netty framework` is used to deserialize Java objects from messages received from the Redis server. An attacker can execute arbitrary code and potentially take control of the client's machine by tricking the client into communicating with a malicious server that includes specially crafted objects in its responses. Note: Even after the fix, it is recommended to not use `Kryo5Codec` as deserialization codec, as it is still vulnerable to arbitrary object deserialization due to the `setRegistrationRequired(false)` call. On the contrary, `KryoCodec` is safe to use. The fix applied to `SerializationCodec` only consists of adding an optional allowlist of class names, even though making this behavior the default is recommended. How to fix Deserialization of Untrusted Data? Upgrade `org.redisson:redisson` to version 3.22.0 or higher.	[,3.22.0)

Deserialization of Untrusted Data

Affected versions of this package are vulnerable to Deserialization of Untrusted Data when the Netty framework is used to deserialize Java objects from messages received from the Redis server. An attacker can execute arbitrary code and potentially take control of the client's machine by tricking the client into communicating with a malicious server that includes specially crafted objects in its responses.

Note:

Even after the fix, it is recommended to not use Kryo5Codec as deserialization codec, as it is still vulnerable to arbitrary object deserialization due to the setRegistrationRequired(false) call. On the contrary, KryoCodec is safe to use. The fix applied to SerializationCodec only consists of adding an optional allowlist of class names, even though making this behavior the default is recommended.

How to fix Deserialization of Untrusted Data?

Upgrade org.redisson:redisson to version 3.22.0 or higher.

[,3.22.0)

Go back to all versions of this package