CVE-2016-9606

HIGH

JBoss RESTEasy < 3.1.2 - Remote Code Execution via YamlProvider Unmarshalling

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2016-9606. PoCs published by dawetmaster, andikahilmy.

AI-analyzed exploit summary This repository contains a functional exploit PoC for CVE-2016-9606, a vulnerability in RESTEasy. The code includes test cases and resources that demonstrate the vulnerability, specifically targeting validation and CDI (Contexts and Dependency Injection) issues in RESTEasy applications.

Description

JBoss RESTEasy before version 3.1.2 could be forced into parsing a request with YamlProvider, resulting in unmarshalling of potentially untrusted data which could allow an attacker to execute arbitrary code with RESTEasy application permissions.

Exploits (2)

nomisec WORKING POC
by dawetmaster · poc
https://github.com/dawetmaster/CVE-2016-9606-Resteasy-vulnerable

This repository contains a functional exploit PoC for CVE-2016-9606, a vulnerability in RESTEasy. The code includes test cases and resources that demonstrate the vulnerability, specifically targeting validation and CDI (Contexts and Dependency Injection) issues in RESTEasy applications.

Classification
Working Poc 90%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: RESTEasy (versions 9.0.2.Final, 10.1.0.Final, 10.0.0.Final)
No auth needed
Prerequisites: Java 8 · Maven · RESTEasy application with validation and CDI enabled
devstral-2 · analyzed Mar 14, 2026 Full analysis →
nomisec WORKING POC
by andikahilmy · poc
https://github.com/andikahilmy/CVE-2016-9606-Resteasy-vulnerable

This repository contains a functional exploit PoC for CVE-2016-9606, a vulnerability in RESTEasy. The code includes test cases and resources that demonstrate the vulnerability, specifically focusing on validation and constraint violations in RESTful services.

Classification
Working Poc 90%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: RESTEasy (versions 9.0.2.Final, 10.1.0.Final, 10.0.0.Final)
No auth needed
Prerequisites: Java 8 · Maven · RESTEasy environment
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (16)

Core 16
Core References
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:1411
Third Party Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2017-1409.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/94940
Issue Tracking, Third Party Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=1400644
Broken Link, Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:1675
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1038524
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:1254
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:1410
Third Party Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2017-1255.html
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:1412
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:2909
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:1256
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:1253
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:1260
Broken Link, Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:1676
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:2913

Scores

CVSS v3 8.1
EPSS 0.0226
EPSS Percentile 85.0%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-20
Status published
Products (2)
org.jboss.resteasy/resteasy-bom 0 - 3.1.2.FinalMaven
redhat/resteasy < 3.1.1
Published Mar 09, 2018
Tracked Since Feb 18, 2026