Documentation page on deserialization security

Security Announcements
1

We just published a new documentation page on Deserialization Security and Gadget Chains.

This was prompted by a new report on a deserialization gadget chain starting at scala.collection.concurrent.TrieMap.readObject and using multiple classes from the Scala standard library.

In short, if an attacker can control the data that an application deserializes, it is possible to execute url.openStream() for an attacker-controlled URL.

The new page explains how such attacks work and why we treat the corresponding vulnerability as an application-side issue, not something to address in the Scala standard library.

4 Likes
2

For credits: the recent report about a deserialization gadget chain starting at TrieMap.readObject was submitted by Qianheng Wang (Fudan University, https://github.com/qhwang996). It prompted us to publish the new documentation page. Thank you for the detailed report (including reproduction code) and for following our reporting guidelines.