CVE-2025-31129
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-31129
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-31129.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-31129
- Aliases
- Published
- 2025-03-31T19:10:57.599Z
- Modified
- 2025-12-05T08:54:42.980438Z
- Severity
-
- 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- jooby-pac4j: deserialization of untrusted data
- Details
-
Jooby is a web framework for Java and Kotlin. The pac4j io.jooby.internal.pac4j.SessionStoreImpl#get module deserializes untrusted data. This vulnerability is fixed in 2.17.0 (2.x) and 3.7.0 (3.x).
- Database specific
{ "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-502" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/31xxx/CVE-2025-31129.json" }- References
-
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/31xxx/CVE-2025-31129.json
- https://github.com/jooby-project/jooby/blob/v2.x/modules/jooby-pac4j/src/main/java/io/jooby/internal/pac4j/SessionStoreImpl.java#L39-L45
- https://github.com/jooby-project/jooby/blob/v3.6.1/modules/jooby-pac4j/src/main/java/io/jooby/internal/pac4j/SessionStoreImpl.java#L77-L84
- https://github.com/jooby-project/jooby/commit/3e13562cf36d7407813eae464e0f4b598de15692
- https://github.com/jooby-project/jooby/security/advisories/GHSA-7c5v-895v-w4q5
- https://nvd.nist.gov/vuln/detail/CVE-2025-31129
Affected packages
Git / github.com/jooby-project/jooby
Affected ranges
Affected versions
v3.*
v3.0.0.M1
v3.0.0.M10
v3.0.0.M11
v3.0.0.M2
v3.0.0.M4
v3.0.0.M6
v3.0.0.M7
v3.0.0.M8
v3.0.0.M9
v3.0.1
v3.0.2
v3.0.3
v3.0.4
v3.0.5
v3.0.6
v3.0.7
v3.0.9
v3.1.0
v3.1.1
v3.1.2
v3.1.3
v3.2.0
v3.2.1
v3.2.3
v3.2.4
v3.2.5
v3.2.6
v3.2.7
v3.2.8
v3.2.9
v3.3.0
v3.3.1
v3.4.0
v3.4.2
v3.4.3
v3.5.0
v3.5.1
v3.5.3
v3.5.4
v3.5.5
v3.6.0
v3.6.1