Dromara Sa-Token Deserialization Vulnerability in SaJdkSerializer Component Allowing Remote Code Execution

A deserialization vulnerability has been identified in Dromara Sa-Token versions through 1.44.0, specifically within the SaJdkSerializer component. The issue arises in the ObjectInputStream.readObject function, where untrusted data is deserialized without proper validation. This vulnerability can be exploited remotely and is characterized by high complexity. The lack of a response from the vendor upon disclosure indicates a potential oversight in addressing this critical issue.

Impact

Exploitation of this vulnerability leads to insecure deserialization, with a potential for remote code execution, depending on the runtime environment and the presence of exploitable classes.

Reproduction

The vulnerability can be reproduced by writing arbitrary serialized byte streams into a cache or Redis database that is later read by the application using the default JDK serializer. This can be done through an HTTP request that injects the serialized data, which is then deserialized by the application, exploiting the lack of input validation in the deserialization process.

Remediation

It is recommended to update to a version of Dromara Sa-Token that addresses this vulnerability. For deployments using the Jackson plugin, ensure that the 'activateDefaultTyping' feature is disabled or restricted to safe types. If using Fastjson, verify that the 'autoType' feature is turned off or only allows whitelisted types.