Spring Data Redis Insecure Deserialization
Last updated
Last updated
Spring Data Redis, part of the larger Spring Data family, provides easy configuration and access to Redis from Spring applications. Spring Data Redis first serializes data before writing data to Redis. By default, Java native serialization is used for serialization.
When Spring Data Redis retrieves data from Redis, the stored bytecode is deserialized. Since the target class is not checked or filtered during deserialization it can lead to remote code execution.
Example of exploitation:
Generate payload with ysoserial
Write the generated payload in Redis:
Trigger or wait for Spring to retrieve data, example of vulnerable code:
Server starts calculator successfully:
The call stack is as follows: