Deserialization of Untrusted Data (Java JSON Deserialization) JsonIO
Description
This vulnerability occurs when a web application deserializes JSON data from untrusted sources using the Json-io library with Polymorphic Type Handling enabled. Deserialization is the process of converting data from a structured format (like JSON) back into executable objects. When Json-io deserializes untrusted JSON input, attackers can craft malicious payloads that instantiate arbitrary Java classes during the deserialization process. This can lead to remote code execution because the library automatically reconstructs objects based on type information embedded in the JSON data, allowing attackers to trigger dangerous operations through carefully constructed deserialization gadget chains.
Remediation
Immediately stop deserializing untrusted JSON data using the Json-io library. Implement one or more of the following remediation strategies:
1. Use Safe Data Formats: Replace Json-io deserialization with safer alternatives that do not support polymorphic type handling. Use standard JSON parsers like Jackson or Gson with strict type binding to known, safe classes:
// Safe approach using Jackson with explicit type binding ObjectMapper mapper = new ObjectMapper(); YourSafeClass obj = mapper.readValue(jsonString, YourSafeClass.class);
2. Input Validation: If Json-io must be used, implement strict allowlisting of permitted classes and validate all input before deserialization. However, this approach is error-prone and not recommended.
3. Disable Type Information: Configure your JSON parser to reject type metadata in JSON payloads and only deserialize to explicitly defined data transfer objects (DTOs).
4. Network Segmentation: As a defense-in-depth measure, ensure deserialization endpoints are not directly exposed to untrusted networks and implement proper authentication and authorization controls.