CVE-2021-34371

CRITICAL9.8EPSS 68.1%

Deserialization of Untrusted Data in Neo4j

Published: 9/1/2021Modified: 4/3/2025

Description

Neo4j through 3.4.18 (with the shell server enabled) exposes an RMI service that arbitrarily deserializes Java objects, e.g., through setSessionVariable. An attacker can abuse this for remote code execution because there are dependencies with exploitable gadget chains.

Affected packages (2)

Bitnami/neo4jfrom 0, < 3.4.19
Maven/org.neo4j:neo4jfrom 0, < 3.5.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (3)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-34371
PATCHhttps://github.com/neo4j/neo4j
WEBhttps://www.exploit-db.com/exploits/50170