CVE-2022-25647
📋 TL;DR
CVE-2022-25647 is a deserialization vulnerability in Google's Gson library versions before 2.8.9. Attackers can exploit the writeReplace() method in internal classes to cause denial of service (DoS) attacks by triggering infinite recursion or resource exhaustion. This affects any Java application using vulnerable Gson versions for JSON processing.
💻 Affected Systems
- Google Gson library
📦 What is this software?
Financial Services Crime And Compliance Management Studio by Oracle
View all CVEs affecting Financial Services Crime And Compliance Management Studio →
Financial Services Crime And Compliance Management Studio by Oracle
View all CVEs affecting Financial Services Crime And Compliance Management Studio →
Graalvm by Oracle
Graalvm by Oracle
Graalvm by Oracle
Gson by Google
⚠️ Risk & Real-World Impact
Worst Case
Complete application unavailability due to resource exhaustion, potentially crashing the JVM and requiring service restart.
Likely Case
Application performance degradation or temporary unavailability from DoS attacks, disrupting service for legitimate users.
If Mitigated
Minimal impact with proper input validation and resource limits, though some performance degradation may occur.
🎯 Exploit Status
Exploitation requires sending malicious JSON payloads to applications using Gson. The vulnerability is well-documented in the GitHub pull request.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.8.9 and later
Vendor Advisory: https://github.com/google/gson/pull/1991
Restart Required: Yes
Instructions:
1. Update Gson dependency to version 2.8.9 or later in your build configuration (Maven, Gradle, etc.). 2. Rebuild and redeploy your application. 3. Restart affected services.
🔧 Temporary Workarounds
Input validation and sanitization
allImplement strict input validation to reject unexpected JSON structures before Gson processing
Resource limiting
allConfigure JVM memory limits and implement circuit breakers to prevent resource exhaustion
java -Xmx512m -Xss256k -jar yourapp.jar
🧯 If You Can't Patch
- Implement network-level protections like WAF rules to block suspicious JSON payloads
- Isolate vulnerable applications in segmented network zones with strict access controls
🔍 How to Verify
Check if Vulnerable:
Check your project's dependency files (pom.xml, build.gradle) for Gson version <2.8.9Check Version:
mvn dependency:tree | grep gson OR gradle dependencies | grep gsonVerify Fix Applied:
Verify Gson version is 2.8.9 or higher in dependency files and deployed application📡 Detection & Monitoring
Log Indicators:
- StackOverflowError in logs
- OutOfMemoryError related to Gson processing
- Unusually high CPU/memory usage during JSON parsing
Network Indicators:
- Large or deeply nested JSON payloads to endpoints using Gson
- Repeated JSON requests causing service degradation
SIEM Query:
source="application.logs" AND ("StackOverflowError" OR "OutOfMemoryError") AND "gson"🔗 References
- https://github.com/google/gson/pull/1991
- https://github.com/google/gson/pull/1991/commits
- https://lists.debian.org/debian-lts-announce/2022/05/msg00015.html
- https://lists.debian.org/debian-lts-announce/2022/09/msg00009.html
- https://security.netapp.com/advisory/ntap-20220901-0009/
- https://snyk.io/vuln/SNYK-JAVA-COMGOOGLECODEGSON-1730327
- https://www.debian.org/security/2022/dsa-5227
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://github.com/google/gson/pull/1991
- https://github.com/google/gson/pull/1991/commits
- https://lists.debian.org/debian-lts-announce/2022/05/msg00015.html
- https://lists.debian.org/debian-lts-announce/2022/09/msg00009.html
- https://security.netapp.com/advisory/ntap-20220901-0009/
- https://snyk.io/vuln/SNYK-JAVA-COMGOOGLECODEGSON-1730327
- https://www.debian.org/security/2022/dsa-5227
- https://www.oracle.com/security-alerts/cpujul2022.html
