DataHub Deserialization Vulnerability in OIDC Callback Flow Allowing SSRF and Potential RCE

A deserialization vulnerability has been identified in the DataHub frontend component (datahub-frontend-react) versions 1.5.0.2 and prior. This vulnerability occurs in the OpenID Connect (OIDC) callback flow, specifically at the GET /callback/oidc endpoint. The issue arises because the application deserializes Java objects from the REDIRECT_URL HTTP cookie, which can be controlled by an attacker. Notably, this deserialization process lacks integrity protection, such as HMAC or encryption. Exploitation of this vulnerability requires a valid user account with the OIDC identity provider, as OIDC/SSO must be enabled—a standard configuration in production environments. At a minimum, an authenticated attacker could exploit this vulnerability to perform blind Server-Side Request Forgery (SSRF), allowing them to send requests to internal hosts and conduct port scanning. Depending on the availability of certain gadget chains, remote code execution (RCE) might also be achievable, although no such exploitation was confirmed at the time of disclosure.

Impact

Exploitation of this vulnerability allows for deserialization of untrusted data, with the potential for blind SSRF. This could lead to unauthorized access to internal resources or services. Additionally, there is a possibility of remote code execution, depending on the presence of exploitable gadget chains.

Remediation

Users can upgrade to DataHub version 1.5.0.3 or later to address this vulnerability.