7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-22871

GHSA ID

GHSA-vr64-r9qj-h27f

EPSS Score

0.25201%

CWE

CWE-502

Published

2/29/2024

Updated

8/13/2024

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-22871

CVE-2024-22871: Reading specially crafted serializable objects from an untrusted source may cause an infinite loop and denial of service

Any program on the JVM may read serialized objects via java.io.ObjectInputStream.readObject(). Reading serialized objects from an untrusted source is inherently unsafe (this affects any program running on any version of the JVM) and is a prerequisite for this vulnerability.

Clojure classes that represent infinite seqs (Cycle, infinite Repeat, and Iterate) do not define hashCode() and use the parent ASeq.hashCode(), which walks the seq to compute the hash, yielding an infinite loop. Classes like java.util.HashMap call hashCode() on keys during deserialization of a serialized map.

The exploit requires:

Crafting a serialized HashMap object with an infinite seq object as a key.
Sending that to a program that reads serialized objects via ObjectInputStream.readObject().

This will cause the program to enter an infinite loop on the reading thread and thus a denial of service (DoS).

The affected Clojure classes (Cycle, Repeat, Iterate) exist in Clojure 1.7.0-1.11.1, 1.12.0-alpha1-1.12.0-alpha8.

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-22871

GHSA ID

GHSA-vr64-r9qj-h27f

EPSS Score

0.25201%

CWE

CWE-502

Published

2/29/2024

Updated

8/13/2024

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.clojure:clojure	maven	>= 1.7.0, < 1.11.2	1.11.2
org.clojure:clojure	maven	>= 1.12.0-alpha1, < 1.12.0-alpha9	1.12.0-alpha9

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from Clojure's infinite sequence classes (Cycle, Repeat, Iterate) inheriting ASeq.hashCode() that walks the entire sequence. The exploit specifically uses clojure.core$partial$fn__5920 to construct malicious Iterate instances, as shown in the GenData.java PoC and Clojure verification scripts. This function's involvement in creating the problematic proxy objects is confirmed across multiple sources including NVD descriptions, Fedora advisories, and the HackMD technical analysis. The combination of 1) being part of the deserialization payload construction and 2) enabling infinite sequence creation makes this function directly vulnerable.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ny pro*r*m on t** JVM m*y r*** s*ri*liz** o*j**ts vi* [j*v*.io.O*j**tInputStr**m.r***O*j**t()](*ttps://*o*s.or**l*.*om/j*v*s*/*/*o*s/*pi/j*v*/io/O*j**tInputStr**m.*tml#r***O*j**t--). R***in* s*ri*liz** o*j**ts *rom *n untrust** sour** is **in**r*ntl

Reasoning

T** vuln*r**ility st*ms *rom *lojur*'s in*init* s*qu*n** *l*ss*s (*y*l*, R*p**t, It*r*t*) in**ritin* `*S*q.**s**o**()` t**t w*lks t** *ntir* s*qu*n**. T** *xploit sp**i*i**lly us*s `*lojur*.*or*$p*rti*l$*n__****` to *onstru*t m*li*ious It*r*t* inst*n

7.5

Basic Information

Concerned about an active attack path?

CVE-2024-22871: Reading specially crafted serializable objects from an untrusted source may cause an infinite loop and denial of service

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI