CVE-2022-25647

Aliases:GHSA-4jrv-ppp4-jm57
Advisory lineage Upstream: 0 Downstream: 15
Modified
Published: 01 May 2022, 15:30
Last modified:27 May 2026, 14:03

Vulnerability Summary

Overall Risk (default)
medium
31/100
CVSS Score
7.7 HIGH
v3.1 (cve.org)
EPSS Score
2.87% LOW
3% probability +0.79%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

01 May 2022, 15:30
Published
Vulnerability first disclosed
27 May 2026, 14:03
Last Modified
Vulnerability information updated

Description

The package com.google.code.gson:gson before 2.8.9 are vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to DoS attacks.

CVSS Metrics

  • v3.1HIGHScore: 7.7CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H
  • v3.1HIGHScore: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • v2.0MEDIUMScore: 5AV:N/AC:L/Au:N/C:N/I:N/A:P

EPSS Trends

Current EPSS score: 2.87% Percentile: 87%

Techniques & Countermeasures

  • CWE-502Deserialization of Untrusted Data

    The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Affected Systems

  • debiandebian_linux

    9.0 | 10.0 | 11.0

  • googlegson

    ≥ 2.2.3, < 2.8.9

  • com.google.code.gsongson

    < 2.8.9

  • netappactive_iq_unified_manager

    na

  • oraclefinancial_services_crime_and_compliance_management_studio

    8.0.8.2.0 | 8.0.8.3.0

  • oraclegraalvm

    20.3.6 | 21.3.2 | 22.1.0

  • oracleretail_order_broker

    18.0 | 19.1

References (11)