CVE-2017-20189 – This vulnerability in Clojure allows remote cod... (How to Fix)

Q: What is the severity of CVE-2017-20189?

CVE-2017-20189 has a CVSS score of 9.8 (CRITICAL). This vulnerability in Clojure allows remote code execution through deserialization of untrusted objects. Attackers can craft malicious serialized objects that execute arbitrary code when deserialized by vulnerable Clojure applications. This affects any server or application using Clojure versions before 1.9.0 that deserializes untrusted data.

📋 TL;DR

This vulnerability in Clojure allows remote code execution through deserialization of untrusted objects. Attackers can craft malicious serialized objects that execute arbitrary code when deserialized by vulnerable Clojure applications. This affects any server or application using Clojure versions before 1.9.0 that deserializes untrusted data.

💻 Affected Systems

Products:

Clojure programming language
Applications built with Clojure

Versions: All versions before 1.9.0

Operating Systems: All operating systems running Java

Default Config Vulnerable: ⚠️ Yes

Notes: Only vulnerable if application deserializes untrusted objects. Many Clojure applications may not use serialization features.

📦 What is this software?

Clojure by Clojure

View all CVEs affecting Clojure →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with remote code execution, data exfiltration, and lateral movement within the network.

🟠

Likely Case

Server compromise leading to data theft, service disruption, or deployment of backdoors/malware.

🟢

If Mitigated

No impact if proper input validation and deserialization controls are implemented.

🌐 Internet-Facing: HIGH - Internet-facing servers deserializing untrusted data are directly exploitable.

🏢 Internal Only: MEDIUM - Internal applications could be exploited through lateral movement or insider threats.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit tools like ysoserial include payloads for this vulnerability. Attack requires ability to send serialized objects to vulnerable endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Clojure 1.9.0 and later

Vendor Advisory: https://clojure.atlassian.net/browse/CLJ-2204

Restart Required: Yes

Instructions:

1. Update Clojure dependency to version 1.9.0 or later in your project.clj or build configuration. 2. Rebuild and redeploy your application. 3. Restart all affected services.

🔧 Temporary Workarounds

Disable unsafe deserialization

all

Implement custom deserialization that validates or rejects untrusted objects

Implement custom ObjectInputStream with resolveClass() validation
Use safe serialization libraries like Kryo with proper configuration

Input validation and filtering

all

Validate and sanitize all serialized data inputs before processing

Implement whitelist of allowed classes for deserialization
Use Java Security Manager with restrictive policies

🧯 If You Can't Patch

Implement network segmentation to isolate vulnerable systems
Deploy web application firewall (WAF) rules to block serialized object payloads

🔍 How to Verify

Check if Vulnerable:

Check project.clj, pom.xml, or build.gradle for Clojure version. If version < 1.9.0 and application deserializes data, it's vulnerable.

Check Version:

lein deps :tree | grep clojure OR check project.clj for [org.clojure/clojure "version"]

Verify Fix Applied:

Verify Clojure version is 1.9.0+ in dependencies and test deserialization functionality.

📡 Detection & Monitoring

Log Indicators:

Unusual Java class loading errors
Unexpected process execution from Java applications
Stack traces containing clojure.lang classes

Network Indicators:

Base64 encoded serialized objects in HTTP requests
Unusual outbound connections from Java processes

SIEM Query:

source="application.logs" AND ("ClassNotFoundException" OR "InvalidClassException") AND "clojure"

📊 Metadata

CVE ID: CVE-2017-20189

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-502

Published: January 22, 2024

Last Updated: November 3, 2025

🔗 References

https://clojure.atlassian.net/browse/CLJ-2204 Exploit,Patch,Vendor Advisory
https://github.com/clojure/clojure/commit/271674c9b484d798484d134a5ac40a6df15d3ac3 Patch
https://github.com/frohoff/ysoserial/pull/68/files Patch
https://hackmd.io/%40fe1w0/HyefvRQKp Exploit,Third Party Advisory
https://security.snyk.io/vuln/SNYK-JAVA-ORGCLOJURE-5740378 Patch,Third Party Advisory
https://clojure.atlassian.net/browse/CLJ-2204 Exploit,Patch,Vendor Advisory
https://github.com/clojure/clojure/commit/271674c9b484d798484d134a5ac40a6df15d3ac3 Patch
https://github.com/frohoff/ysoserial/pull/68/files Patch
https://hackmd.io/%40fe1w0/HyefvRQKp Exploit,Third Party Advisory
https://security.netapp.com/advisory/ntap-20241108-0002/
https://security.snyk.io/vuln/SNYK-JAVA-ORGCLOJURE-5740378 Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2017-20189, you might also want to check these: