Summary
If it is possible for an attacker to fully control the byte data provided to Nippy for thawing, they may be able to crash the JVM or leak JVM memory.
Cause
By default, Nippy compresses its serialized output:
Unfortunately prior releases of both of these may be vulnerable when decompressing malicious data crafted by an attacker:
Important: it is currently not believed to be possible to indirectly create malicious data via a Nippy freeze call. I.e. this attack appears to require full control of the byte data provided to Nippy for thawing. This would be quite unusual for most Nippy use cases, hence the decreased (Moderate) severity compared to the upstream CVEs (High).
Mitigation
Please update to Nippy v3.4.2 (released 2024-05-26).
This includes Aircompressor v0.27 (which is believed to address all known decompression vulnerabilities), and should be a straight-forward update for almost all Nippy users.
See the release notes for details.
Summary
If it is possible for an attacker to fully control the byte data provided to Nippy for thawing, they may be able to crash the JVM or leak JVM memory.
Cause
By default, Nippy compresses its serialized output:
Unfortunately prior releases of both of these may be vulnerable when decompressing malicious data crafted by an attacker:
Important: it is currently not believed to be possible to indirectly create malicious data via a Nippy freeze call. I.e. this attack appears to require full control of the byte data provided to Nippy for thawing. This would be quite unusual for most Nippy use cases, hence the decreased (
Moderate) severity compared to the upstream CVEs (High).Mitigation
Please update to Nippy v3.4.2 (released 2024-05-26).
This includes Aircompressor v0.27 (which is believed to address all known decompression vulnerabilities), and should be a straight-forward update for almost all Nippy users.
See the release notes for details.