7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2024-22871

GHSA ID

GHSA-vr64-r9qj-h27f

EPSS Score

0.25201%

CWE

CWE-502

Published

2/29/2024

Updated

8/13/2024

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-22871

CVE-2024-22871: Reading specially crafted serializable objects from an untrusted source may cause an infinite loop and denial of service

Any program on the JVM may read serialized objects via java.io.ObjectInputStream.readObject(). Reading serialized objects from an untrusted source is inherently unsafe (this affects any program running on any version of the JVM) and is a prerequisite for this vulnerability.

Clojure classes that represent infinite seqs (Cycle, infinite Repeat, and Iterate) do not define hashCode() and use the parent ASeq.hashCode(), which walks the seq to compute the hash, yielding an infinite loop. Classes like java.util.HashMap call hashCode() on keys during deserialization of a serialized map.

The exploit requires:

Crafting a serialized HashMap object with an infinite seq object as a key.
Sending that to a program that reads serialized objects via ObjectInputStream.readObject().

This will cause the program to enter an infinite loop on the reading thread and thus a denial of service (DoS).

The affected Clojure classes (Cycle, Repeat, Iterate) exist in Clojure 1.7.0-1.11.1, 1.12.0-alpha1-1.12.0-alpha8.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2024-22871

CVE-2024-22871:

7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2024-22871

GHSA ID

GHSA-vr64-r9qj-h27f

EPSS Score

0.25201%

CWE

CWE-502

Published

2/29/2024

Updated

8/13/2024

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.clojure:clojure	maven	>= 1.7.0, < 1.11.2	1.11.2
org.clojure:clojure	maven	>= 1.12.0-alpha1, < 1.12.0-alpha9	1.12.0-alpha9

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from Clojure's infinite sequence classes (Cycle, Repeat, Iterate) inheriting ASeq.hashCode() that walks the entire sequence. The exploit specifically uses clojure.core$partial$fn__5920 to construct malicious Iterate instances, as shown in the GenData.java PoC and Clojure verification scripts. This function's involvement in creating the problematic proxy objects is confirmed across multiple sources including NVD descriptions, Fedora advisories, and the HackMD technical analysis. The combination of 1) being part of the deserialization payload construction and 2) enabling infinite sequence creation makes this function directly vulnerable.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

7.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2024-22871: Reading specially crafted serializable objects from an untrusted source may cause an infinite loop and denial of service

CVE-2024-22871:

7.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

CVE-2024-22871: Reading specially crafted serializable objects from an untrusted source may cause an infinite loop and denial of service

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

Technical Details

7.5

7.5

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI