Deserialization of Untrusted Data in Groovy

RSS Feed CRITICAL

GHSA-xphj-m9cc-8fmq CVE-2016-6814

Description:

When an application with unsupported Codehaus versions of Groovy from 1.7.0 to 2.4.3, Apache Groovy 2.4.4 to 2.4.7 on classpath uses standard Java serialization mechanisms, e.g. to communicate between servers or to store local data, it was possible for an attacker to bake a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects were subject to this vulnerability.

Affected Packages

Ecosystem	Package	Vulnerable Versions	Patched Version
maven	`org.codehaus.groovy:groovy`	`>= 1.7.0, <= 2.4.7`	`2.4.8`

Related Dependabot Pull Requests

All Open Closed Merged

No Related Pull Requests

No Dependabot pull requests have been found that reference this security advisory.

Actions

View on GitHub All Advisories

Advisory Details

Published:	May 13, 2022 about 4 years ago
Updated:	June 10, 2026 1 day ago
CVSS Score:	9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS:	24.32% 96th percentile
Source:	Github
Classification:	GENERAL
UUID:	`GSA_kwCzR0hTQS14cGhqLW05Y2MtOGZtcc4AAQZQ`

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Dependabot