CVE-2020-24164 – CVE-2020-24164 is a Java deserialization vulner... (How to Fix)

Q: What is the severity of CVE-2020-24164?

CVE-2020-24164 has a CVSS score of 7.8 (HIGH). CVE-2020-24164 is a Java deserialization vulnerability in Taoensso Nippy library versions before 2.14.2. Attackers can craft malicious payloads that execute arbitrary code when deserialized by vulnerable applications. This affects any application using Nippy for serialization/deserialization operations.

📋 TL;DR

CVE-2020-24164 is a Java deserialization vulnerability in Taoensso Nippy library versions before 2.14.2. Attackers can craft malicious payloads that execute arbitrary code when deserialized by vulnerable applications. This affects any application using Nippy for serialization/deserialization operations.

💻 Affected Systems

Products:

Taoensso Nippy

Versions: All versions before 2.14.2

Operating Systems: All platforms running Java

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists when using default serialization settings. Applications must be using Nippy's deserialization functionality to be vulnerable.

📦 What is this software?

Nippy by Taoensso

View all CVEs affecting Nippy →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with the privileges of the application process, potentially leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Application compromise leading to data exposure, denial of service, or lateral movement within the network.

🟢

If Mitigated

Limited impact with proper input validation and network segmentation, potentially only denial of service.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires the attacker to control input to deserialization functions. Java deserialization attacks are well-documented and tooling exists.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.14.2

Vendor Advisory: https://github.com/ptaoussanis/nippy/issues/130

Restart Required: Yes

Instructions:

1. Update Nippy dependency to version 2.14.2 or later in your project configuration. 2. Rebuild and redeploy your application. 3. Restart affected services.

🔧 Temporary Workarounds

Input validation and filtering

all

Implement strict input validation on all deserialization endpoints to reject unexpected or malformed data.

Use safe serialization modes

all

Configure Nippy to use non-default serialization modes that don't rely on Java Serializable interface.

🧯 If You Can't Patch

Network segmentation to isolate vulnerable systems from untrusted networks
Implement application-level firewalls to filter suspicious serialization payloads

🔍 How to Verify

Check if Vulnerable:

Check your project's dependency configuration (pom.xml, build.gradle, project.clj) for Nippy version below 2.14.2.

Check Version:

For Clojure: lein deps :tree | grep nippy; For Maven: mvn dependency:tree | grep nippy

Verify Fix Applied:

Verify Nippy version 2.14.2 or later appears in your dependency tree after update.

📡 Detection & Monitoring

Log Indicators:

Java stack traces containing 'java.io.ObjectInputStream' or 'nippy' in error messages
Unexpected process spawns or network connections from application processes

Network Indicators:

Unusual serialized data patterns in application traffic
Payloads containing known Java deserialization gadget chains

SIEM Query:

source="application.logs" AND ("ObjectInputStream" OR "deserialization" OR "nippy") AND severity=ERROR

📊 Metadata

CVE ID: CVE-2020-24164

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-502

Published: September 11, 2020

Last Updated: November 21, 2024

🔗 References

https://github.com/ptaoussanis/nippy/issues/130 Third Party Advisory
https://github.com/ptaoussanis/nippy/issues/130 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-24164, you might also want to check these: