-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| org.clojure:clojure | maven | < 1.9.0 | 1.9.0 |
JavaJavaMiggo AIRoot Cause AnalysisThe vulnerability stems from Clojure's proxy class generation mechanism. The generate-proxy function created serializable proxy classes (when extending Serializable interfaces) that stored method implementations in __clojureFnMap. Attackers could craft objects with malicious function mappings that execute during deserialization via HashMap deserialization triggers. The patch explicitly disabled serialization by adding writeObject/readObject methods that throw NotSerializableException, confirming this as the root cause. The test cases added in java_interop.clj specifically validate the proxy serialization prohibition, further reinforcing this as the vulnerable code path.
Ongoing coverage of React2Shell