CVE-2023-34050

MEDIUM

Spring AMQP <2.4.16 & <3.0.9 - Deserialization

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2023-34050. PoCs published by X1r0z, JAckLosingHeart.

AI-analyzed exploit summary This repository contains a functional Proof of Concept (PoC) for CVE-2023-34050, a deserialization vulnerability in Spring AMQP. The exploit leverages Java deserialization gadgets to achieve remote code execution (RCE) by sending a malicious payload via RabbitMQ.

Description

In spring AMQP versions 1.0.0 to 2.4.16 and 3.0.0 to 3.0.9 , allowed list patterns for deserializable class names were added to Spring AMQP, allowing users to lock down deserialization of data in messages from untrusted sources; however by default, when no allowed list was provided, all classes could be deserialized. Specifically, an application is vulnerable if * the SimpleMessageConverter or SerializerMessageConverter is used * the user does not configure allowed list patterns * untrusted message originators gain permissions to write messages to the RabbitMQ broker to send malicious content

Exploits (2)

nomisec WORKING POC 13 stars

by X1r0z · poc

https://github.com/X1r0z/spring-amqp-deserialization

View Code ZIP pw:eip

This repository contains a functional Proof of Concept (PoC) for CVE-2023-34050, a deserialization vulnerability in Spring AMQP. The exploit leverages Java deserialization gadgets to achieve remote code execution (RCE) by sending a malicious payload via RabbitMQ.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Spring AMQP versions 1.0.0 to 2.4.16 and 3.0.0 to 3.0.9

No auth needed

Prerequisites: Access to a vulnerable Spring AMQP instance · Ability to send messages to a RabbitMQ exchange

MITRE ATT&CK

T1189 - Drive-by Compromise T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

github WORKING POC 5 stars

by JAckLosingHeart · javapoc

https://github.com/JAckLosingHeart/CVE-PoC-Collection/tree/main/spring-CVE-2023-34050

View Code ZIP pw:eip

This repository contains functional exploit PoCs for multiple CVEs, including deserialization and RCE vulnerabilities in Java-based software. The PoCs are well-structured and include actual exploit code for vulnerabilities like CVE-2022-42889 (commons-text), CVE-2023-23638 (Dubbo), and others.

Classification

Working Poc 95%

Attack Type

Rce | Deserialization

Complexity

Moderate

Reliability

Reliable

Target: Apache Commons Text, Apache Dubbo, Fastjson, Jackson, Log4j, MySQL, Apache Shiro

No auth needed

Prerequisites: Java runtime environment · vulnerable version of target software · network access to target

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 27, 2026 Full analysis →

References (1)

Core 1

Core References

Mitigation, Vendor Advisory

https://spring.io/security/cve-2023-34050

Scores

CVSS v3 5.0

EPSS 0.0152

EPSS Percentile 71.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-502

Status published

Products (1)

vmware/spring_advanced_message_queuing_protocol 1.0.0 - 2.4.16

Published Oct 19, 2023

Tracked Since Feb 18, 2026