CVE-2022-25647 — Deserialization of Untrusted Data in Gson

Description

The package `com.google.code.gson:gson` before 2.8.9 is vulnerable to Deserialization of Untrusted Data via the `writeReplace()` method in internal classes, which may lead to denial of service attacks.

How to fix CVE-2022-25647

To remediate CVE-2022-25647, upgrade the affected package to a fixed version below.

Debian/libgoogle-gson-java—upgrade to 2.8.6-1+deb11u1 or later
—upgrade to 2.4-1+deb9u1 or later
—upgrade to 2.8.5-3+deb10u1 or later
—upgrade to 2.8.6-1+deb11u1 or later
—upgrade to 2.8.9 or later

Is CVE-2022-25647 being exploited?

Low — EPSS is 2.3%, meaning exploitation activity has not been observed at scale.

Affected packages (5)

from 0, < 2.8.6-1+deb11u1
from 0, < 2.4-1+deb9u1
from 0, < 2.8.5-3+deb10u1
from 0, < 2.8.6-1+deb11u1
from 0, < 2.8.9

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.7	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H

References (11)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-25647
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2022-25647
PATCHgithub.com/google/gson
WEBgithub.com/google/gson/pull/1991
WEBgithub.com