Dromara Sa-Token Deserialization Vulnerability in JDK/Base64 Serialization Template

A critical deserialization vulnerability has been identified in Dromara Sa-Token versions through 1.44.0. The issue arises in the JDK/Base64 serialization template, specifically within the 'SaSerializerTemplateForJdkUseBase64.java' file. The vulnerability allows for insecure deserialization by manipulating the 'ObjectInputStream.readObject' function. This flaw can be exploited remotely, leading to potential arbitrary code execution, especially if the classpath contains exploitable gadgets like Commons-Collections 3.x.

Impact

Exploitation of this vulnerability allows for insecure deserialization, which can be leveraged to execute arbitrary code on the server where Sa-Token is running.

Reproduction

To reproduce this vulnerability, first ensure that the JDK/Base64 serialization template is enabled in Sa-Token. Then, send an HTTP request with a controlled token value in the Cookie header. This will trigger the deserialization process when the token is processed by Sa-Token's session management. The deserialization will occur without any type validation, allowing for the execution of malicious payloads if the classpath contains the right gadgets.