CVE-2023-45146

CRITICAL

Xxl-rpc < 1.7.0 - Insecure Deserialization

Title source: rule

Description

XXL-RPC is a high performance, distributed RPC framework. With it, a TCP server can be set up using the Netty framework and the Hessian serialization mechanism. When such a configuration is used, attackers may be able to connect to the server and provide malicious serialized objects that, once deserialized, force it to execute arbitrary code. This can be abused to take control of the machine the server is running by way of remote code execution. This issue has not been fixed.

References (2)

[Product, Third Party Advisory] https://securitylab.github.com/advisories/GHSL-2023-052_XXL-RPC/

[Third Party Advisory] https://www.vicarius.io/vsociety/posts/xxl-rpc-rce-cve-2023-45146

Scores

CVSS v3 9.0

EPSS 0.0312

EPSS Percentile 86.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Classification

CWE

CWE-502

Status published

Affected Products (2)

xxl-rpc_project/xxl-rpc < 1.7.0

com.xuxueli/xxl-rpc-core Maven

Timeline

Published Oct 18, 2023

Tracked Since Feb 18, 2026