Deserialization of Untrusted Data (Java JSON Deserialization) Genson

Description

This vulnerability occurs when the application deserializes JSON data from untrusted sources using the Genson library with Polymorphic Type Handling enabled. Serialization converts objects into a transferable data format, while deserialization reverses this process to reconstruct objects. When Polymorphic Type Handling is enabled, attackers can manipulate type information within JSON payloads to instantiate arbitrary classes during deserialization. This creates a critical security risk as malicious actors can exploit this behavior to execute unintended code or trigger harmful operations within the application.

Remediation

Immediately disable Polymorphic Type Handling in the Genson library configuration to prevent deserialization attacks. Configure Genson to use strict type handling that does not allow arbitrary class instantiation from JSON input.

Implement the following remediation steps:

1. Remove or disable polymorphic type handling by avoiding the use of useClassMetadata() or similar features that enable type information in JSON:

// INSECURE - Do not use
Genson genson = new GensonBuilder()
    .useClassMetadata(true)
    .create();

// SECURE - Disable polymorphic type handling
Genson genson = new GensonBuilder()
    .useClassMetadata(false)
    .create();

Genson genson = new GensonBuilder()
    .useClassMetadata(true)
    .withClassMetadataFilter(new GensonBuilder.ClassMetadataFilter() {
        public boolean shouldInclude(Class clazz) {
            // Only allow specific, safe classes
            return clazz.equals(SafeClass1.class) || 
                   clazz.equals(SafeClass2.class);
        }
    })
    .create();

References

Related Vulnerabilities