CVE-2025-31129

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-31129

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-31129.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-31129

Aliases

GHSA-7c5v-895v-w4q5

Published

2025-03-31T19:10:57.599Z

Modified

2026-04-10T05:25:38.599649Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator

Summary

jooby-pac4j: deserialization of untrusted data

Details

Jooby is a web framework for Java and Kotlin. The pac4j io.jooby.internal.pac4j.SessionStoreImpl#get module deserializes untrusted data. This vulnerability is fixed in 2.17.0 (2.x) and 3.7.0 (3.x).

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/31xxx/CVE-2025-31129.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-502"
    ]
}

References

Affected packages

Git / github.com/jooby-project/jooby

Affected ranges

Type

GIT

Repo

https://github.com/jooby-project/jooby

Events

Introduced

f71b551213ac03523e44a7fbb8c972b752ffc707

Fixed

b6655544cdbb1adb032710ba5a2867f2d9ea7f4b

Database specific

{
    "versions": [
        {
            "introduced": "3.0.0.M1"
        },
        {
            "fixed": "3.7.0"
        }
    ]
}

Type

GIT

Repo

https://github.com/jooby-project/jooby

Events

Introduced

Fixed

5adecacc2ce8962bd6eb41a438c39404599c812a

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.17.0"
        }
    ]
}

Affected versions

v0.*

v0.1.0

v0.10.0

v0.11.0

v0.11.1

v0.11.2

v0.14.0

v0.15.0

v0.15.1

v0.16.0

v0.2.0

v0.2.1

v0.3.0

v0.4.0

v0.4.1

v0.4.2

v0.5.0

v0.5.1

v0.5.3

v0.6.0

v0.6.1

v0.6.2

v0.6.3

v0.6.4

v0.8.0

v0.8.2

v0.9.0

v0.9.1

v0.9.2

v1.*

v1.0.0

v1.0.0.CR1

v1.0.0.CR2

v1.0.0.CR3

v1.0.0.CR4

v1.0.0.CR5

v1.0.0.CR6

v1.0.0.CR7

v1.0.0.CR8

v1.0.1

v1.0.2

v1.0.3

v1.1.0

v1.1.1

v1.1.2

v1.1.3

v1.2.0

v1.2.1

v1.2.2

v1.2.3

v1.3.0

v1.4.0

v1.4.1

v1.5.0

v2.*

v2.0.0

v2.0.0.M1

v2.0.0.M2

v2.0.0.M3

v2.0.0.RC1

v2.0.0.RC2

v2.0.0.RC3

v2.0.1

v2.0.2

v2.0.3

v2.0.4

v2.0.5

v2.0.6

v2.10.0

v2.11.0

v2.12.0

v2.13.0

v2.14.0

v2.14.1

v2.14.2

v2.15.0

v2.15.1

v2.16.0

v2.16.1

v2.16.2

v2.16.4

v2.2.1

v2.3.0

v2.3.1

v2.4.0

v2.5.0

v2.5.1

v2.6.0

v2.6.2

v2.7.0

v2.7.1

v2.7.2

v2.7.3

v2.8.0

v2.8.1

v2.8.10

v2.8.2

v2.8.3

v2.8.4

v2.8.5

v2.8.6

v2.8.7

v2.8.8

v2.8.9

v2.9.0

v2.9.1

v2.9.2

v2.9.3

v2.9.4

v2.9.5

v2.9.6

v3.*

v3.0.0.M1

v3.0.0.M10

v3.0.0.M11

v3.0.0.M2

v3.0.0.M4

v3.0.0.M6

v3.0.0.M7

v3.0.0.M8

v3.0.0.M9

v3.0.1

v3.0.2

v3.0.3

v3.0.4

v3.0.5

v3.0.6

v3.0.7

v3.0.9

v3.1.0

v3.1.1

v3.1.2

v3.1.3

v3.2.0

v3.2.1

v3.2.3

v3.2.4

v3.2.5

v3.2.6

v3.2.7

v3.2.8

v3.2.9

v3.3.0

v3.3.1

v3.4.0

v3.4.2

v3.4.3

v3.5.0

v3.5.1

v3.5.3

v3.5.4

v3.5.5

v3.6.0

v3.6.1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-31129.json"