CVE-2023-25581

CRITICAL LAB

pac4j-core < 4.0.0 - Remote Code Execution via Java Deserialization with {#sb64} Prefix

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-25581. PoCs published by p33d.

AI-analyzed exploit summary This repository contains a functional Python exploit for CVE-2023-25581, leveraging unsafe deserialization in pac4j-core to achieve remote code execution (RCE) via a crafted Base64-encoded payload. The exploit sends a malicious serialized object to a vulnerable endpoint, triggering arbitrary command execution.

Description

pac4j is a security framework for Java. `pac4j-core` prior to version 4.0.0 is affected by a Java deserialization vulnerability. The vulnerability affects systems that store externally controlled values in attributes of the `UserProfile` class from pac4j-core. It can be exploited by providing an attribute that contains a serialized Java object with a special prefix `{#sb64}` and Base64 encoding. This issue may lead to Remote Code Execution (RCE) in the worst case. Although a `RestrictedObjectInputStream` is in place, that puts some restriction on what classes can be deserialized, it still allows a broad range of java packages and potentially exploitable with different gadget chains. pac4j versions 4.0.0 and greater are not affected by this issue. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Exploits (1)

nomisec WORKING POC

by p33d · poc

https://github.com/p33d/CVE-2023-25581

View Code ZIP pw:eip

This repository contains a functional Python exploit for CVE-2023-25581, leveraging unsafe deserialization in pac4j-core to achieve remote code execution (RCE) via a crafted Base64-encoded payload. The exploit sends a malicious serialized object to a vulnerable endpoint, triggering arbitrary command execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: pac4j-core (versions affected by CVE-2023-25581)

No auth needed

Prerequisites: Python 3.x · requests library · vulnerable pac4j-core endpoint

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (4)

Core 4

Core References

Various Sources x_refsource_confirm

https://securitylab.github.com/advisories/GHSL-2022-085_pac4j/

Various Sources x_refsource_misc

https://github.com/frohoff/ysoserial

View Writeup ZIP pw:eip

Various Sources x_refsource_misc

https://github.com/pac4j/pac4j/blob/5834aeb22ad3a4369dfa572be60d7b20f5784a8f/pac4j-core/src/main/java/org/pac4j/core/profile/InternalAttributeHandler.java#L95

View Writeup ZIP pw:eip

Various Sources x_refsource_misc

https://portswigger.net/web-security/deserialization

Scores

CVSS v4 9.2

EPSS 0.0195

EPSS Percentile 77.6%

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Lab Environment

COMMUNITY

Community Lab

docker pull eclipse-temurin:8-jdk-alpine

https://github.com/p33d/CVE-2023-25581

https://github.com/frohoff/ysoserial

https://github.com/pac4j/pac4j

View in Library

Details

CWE

CWE-502

Status published

Products (2)

org.pac4j/pac4j-core 0 - 4.0.0Maven

pac4j/pac4j < 4.0.0

Published Oct 10, 2024

Tracked Since Feb 18, 2026