Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

cve-2024-22871
Back to All
CVE

CVE-2024-22871

Reading specially crafted serializable objects from an untrusted source may cause an infinite loop and denial of service

Description

Any program on the JVM may read serialized objects via java.io.ObjectInputStream.readObject(). Reading serialized objects from an untrusted source is inherently unsafe (this affects any program running on any version of the JVM) and is a prerequisite for this vulnerability.

Clojure classes that represent infinite seqs (Cycle, infinite Repeat, and Iterate) do not define hashCode() and use the parent ASeq.hashCode(), which walks the seq to compute the hash, yielding an infinite loop. Classes like java.util.HashMap call hashCode() on keys during deserialization of a serialized map. 

The exploit requires:

  1. Crafting a serialized HashMap object with an infinite seq object as a key.
  2. Sending that to a program that reads serialized objects via ObjectInputStream.readObject().

This will cause the program to enter an infinite loop on the reading thread and thus a denial of service (DoS). 

The affected Clojure classes (Cycle, Repeat, Iterate) exist in Clojure 1.7.0-1.11.1, 1.12.0-alpha1-1.12.0-alpha8.

Base CVSS

7.5

EPSS Score

0.06%

Introduced Version

1.7.0-alpha6

Fix Available

1.11.2,1.12.0-alpha9

Available Patches

Package
CVEs Fixed
Lines of Code Changed
Package Name
org.clojure:clojure
1.12.0-alpha8
CVES Fixed
C
0
H
1
M
0
L
0
Code Changed
+49
-0

References

https://github.com/clojure/clojure
https://clojure.atlassian.net/browse/CLJ-2839
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/25FKUOYXQZGGJMFUM5HJABWMIX2TILRV
https://nvd.nist.gov/vuln/detail/CVE-2024-22871
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YFPGUDXMW6OXKIDGCOZFEAXO74VQIB2T
https://hackmd.io/%40fe1w0/rymmJGida
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SWWK2SO2MH4SXPO6L444MM6LHVLVFULV

AppSec for the Software Development Revolution

Endor Labs builds a complete graph of your software estate, so teams can pinpoint and fix critical risks in complex, dependency-rich code—whether it was written by humans or AI.

Welcome to the resistance
Oops! Something went wrong, please try again.
brightness-increase
moon-01