Description
A deserialization flaw is present in Taoensso Nippy before 2.14.2. In some circumstances, it is possible for an attacker to create a malicious payload that, when deserialized, will allow arbitrary code to be executed. This occurs because there is automatic use of the Java Serializable interface.
Remediation
References
https://github.com/ptaoussanis/nippy/issues/130
Related Vulnerabilities
CVE-2017-16194 Vulnerability in npm package picard
CVE-2021-27738 Vulnerability in maven package org.apache.kylin:kylin-stream-coordinator
CVE-2023-22467 Vulnerability in maven package org.webjars.npm:luxon
CVE-2016-0779 Vulnerability in maven package org.apache.tomee:arquillian-tomee-embedded
CVE-2023-36479 Vulnerability in maven package org.eclipse.jetty:jetty-servlets