Location
File: ./src/main/java/org/flossware/commons/util/StringUtil.java
Line: 339
Description
The toCompressedString/fromCompressedString and toString/fromString methods use Java native serialization which is vulnerable to Remote Code Execution (RCE) attacks. While ObjectInputFilter was added in fromStream (line 390-405), the filter only allows org.flossware.*, java.lang.*, and java.util.* packages.
This is still too permissive and can be exploited via gadget chains in java.util classes (e.g., java.util.PriorityQueue, java.util.HashMap with custom Comparators). The methods are deprecated but still present and executable.
Recommendation
- If these methods must remain until removal, implement a strict whitelist of specific safe classes (not entire packages)
- Add deep inspection to reject any nested objects from untrusted packages
- Consider runtime detection of gadget chain patterns
- Add mandatory security documentation requiring authentication/integrity checks before deserialization
- Accelerate migration to JSON-based serialization (Jackson with safe default typing disabled)
Severity
CRITICAL - Remote Code Execution risk
Related
Related to but distinct from #216 (which focuses on array type bypass). This issue addresses the broader problem of overly permissive package-level filtering.
Location
File:
./src/main/java/org/flossware/commons/util/StringUtil.javaLine: 339
Description
The
toCompressedString/fromCompressedStringandtoString/fromStringmethods use Java native serialization which is vulnerable to Remote Code Execution (RCE) attacks. WhileObjectInputFilterwas added infromStream(line 390-405), the filter only allowsorg.flossware.*,java.lang.*, andjava.util.*packages.This is still too permissive and can be exploited via gadget chains in
java.utilclasses (e.g.,java.util.PriorityQueue,java.util.HashMapwith custom Comparators). The methods are deprecated but still present and executable.Recommendation
Severity
CRITICAL - Remote Code Execution risk
Related
Related to but distinct from #216 (which focuses on array type bypass). This issue addresses the broader problem of overly permissive package-level filtering.