Infinispan: Deserialization of untrusted data in the Hot Rod Java client via automatic byte-array deserialization
High severity
GitHub Reviewed
Published
May 13, 2022
to the GitHub Advisory Database
•
Updated Jul 10, 2026
Package
Affected versions
< 9.1.0.Final
Patched versions
9.1.0.Final
Description
Published by the National Vulnerability Database
Sep 11, 2018
Published to the GitHub Advisory Database
May 13, 2022
Reviewed
Jul 10, 2026
Last updated
Jul 10, 2026
The hotrod java client in infinispan before 9.1.0.Final automatically deserializes bytearray message contents in certain events. A malicious user could exploit this flaw by injecting a specially-crafted serialized object to attain remote code execution or conduct other attacks.
References