SOFA Hessian Remote Command Execution (RCE) Vulnerability

GHSA-c459-2m73-67hj · CVE-2024-46983

Published Sep 19, 2024 · Modified Apr 17, 2026

Description

Impact

SOFA Hessian protocol uses a blacklist mechanism to restrict deserialization of potentially dangerous classes for security protection. But there is a gadget chain that can bypass the SOFA Hessian blacklist protection mechanism, and this gadget chain only relies on JDK and does not rely on any third-party components.

Patches

Fixed this issue by update blacklist, users can upgrade to sofahessian version 3.5.5 to avoid this issue.

Workarounds

You can maintain a blacklist yourself in this directory external/serialize.blacklist.

References

WEB https://github.com/sofastack/sofa-hessian/security/advisories/GHSA-c459-2m73-67hj
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2024-46983
WEB https://github.com/sofastack/sofa-hessian/commit/764ef4b216aee6aeb4b111aec8947a4e8b53bb87
PACKAGE https://github.com/sofastack/sofa-hessian

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes