Aizuda Snail-Job Deserialization Vulnerability in FurySerializer API Component
Vulnerability
A critical vulnerability allowing remote code execution has been identified in Aizuda Snail-Job versions through 1.7.0 on macOS. The issue arises in the FurySerializer.deserialize function within the API component, where the argsStr parameter is manipulated to facilitate unsafe deserialization. This flaw enables the execution of arbitrary code by exploiting the deserialization process.
Impact
Exploitation of this vulnerability leads to remote code execution on the affected system.
Reproduction
The vulnerability can be reproduced by sending a request to one of the affected API endpoints, such as '/retry/dispatch' or '/retry/callback', with a crafted argsStr parameter that includes malicious serialized data. This data is then deserialized by the FurySerializer, executing the embedded code on the server.
Remediation
It is recommended to register all allowed classes for deserialization during initialization and to configure class prefix allowances to enhance security. The Fury documentation advises against disabling class registration, as it can lead to the deserialization of unknown classes and the execution of malicious code.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.