3.7

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-13805

GHSA ID

GHSA-fgmj-6h3v-4q56

EPSS Score

0.00034%

CWE

CWE-20

Published

12/1/2025

Updated

12/2/2025

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-13805

CVE-2025-13805: NutzBoot vulnerable to deserialization

A weakness has been identified in nutzam NutzBoot up to 2.6.0-SNAPSHOT. This affects the function getInputStream of the file nutzcloud/nutzcloud-literpc/src/main/java/org/nutz/boot/starter/literpc/impl/endpoint/http/HttpServletRpcEndpoint.java of the component LiteRpc-Serializer. Executing manipulation can lead to deserialization. The attack may be launched remotely. This attack is characterized by high complexity. The exploitability is reported as difficult. The exploit has been made available to the public and could be exploited.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-13805

CVE-2025-13805:

3.7

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-13805

GHSA ID

GHSA-fgmj-6h3v-4q56

EPSS Score

0.00034%

CWE

CWE-20

Published

12/1/2025

Updated

12/2/2025

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.nutz:nutzboot-parent	maven	<= 2.6.0-SNAPSHOT

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability lies in the literpc HTTP endpoint, which allows client-side selection of the serialization mechanism via the LiteRpc-Serializer HTTP header. The core of the issue is twofold. First, the HttpServletRpcEndpoint.doFilter method blindly trusts this header to select a serializer. Second, one of the available serializers, JdkRpcSerializer, uses Java's native ObjectInputStream.readObject method, which is known to be unsafe when used on untrusted data. An attacker can exploit this by sending a request with LiteRpc-Serializer: jdk and a malicious serialized Java object in the request body. The doFilter method will route this input to the JdkRpcSerializer.read method, which will then deserialize the payload, leading to remote code execution. Both functions would appear in a stack trace during exploitation, with doFilter being the entry point and read being the function that directly triggers the vulnerable operation.

Vulnerable functions

org.nutz.boot.starter.literpc.impl.endpoint.http.HttpServletRpcEndpoint.doFilter

nutzcloud/nutzcloud-literpc/src/main/java/org/nutz/boot/starter/literpc/impl/endpoint/http/HttpServletRpcEndpoint.java

This function acts as the entry point for the vulnerability. It reads the 'LiteRpc-Serializer' header from the incoming HTTP request to determine which serializer to use. It then reads the entire request body and passes it to the selected serializer's `read` method. By specifying 'jdk' as the serializer, an attacker can force the application to deserialize a malicious Java object from the request body.

org.nutz.boot.starter.literpc.impl.serializer.JdkRpcSerializer.read

nutzcloud/nutzcloud-literpc/src/main/java/org/nutz/boot/starter/literpc/impl/serializer/JdkRpcSerializer.java

This function performs the actual insecure deserialization. It takes an InputStream, wraps it in an `ObjectInputStream`, and calls `readObject()`. This allows an attacker to execute arbitrary code by providing a crafted serialized object (a gadget chain) in the request body when the 'jdk' serializer is selected via the 'LiteRpc-Serializer' header.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

3.7

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-13805: NutzBoot vulnerable to deserialization

CVE-2025-13805:

3.7

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

3.7

3.7

CVE-2025-13805: NutzBoot vulnerable to deserialization

Technical Details

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI