CVE-2020-24164: Deserialization of Untrusted Data

February 10, 2022

A deserialization flaw is present in Taoensso Nippy In some circumstances, it is possible for an attacker to create a malicious payload that, when deserialized, will allow arbitrary code to be executed. This occurs because there is automatic use of the Java Serializable interface.

References

github.com/advisories/GHSA-p5gm-fgfx-hr7h
github.com/ptaoussanis/nippy/commit/61fb009fdde2994140f2da2e495ba8af3a873eb2
github.com/ptaoussanis/nippy/issues/130
nvd.nist.gov/vuln/detail/CVE-2020-24164

Detect and mitigate CVE-2020-24164 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →