CVE-2025-31129

HIGH

jooby-pac4j < 2.17.0 and 3.0.0.M1-3.6.1 - Deserialization of Untrusted Data in SessionStoreImpl

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-31129. PoCs published by cwm1123.

AI-analyzed exploit summary This repository contains a proof-of-concept exploit for CVE-2025-31129, leveraging Apache Commons Collections deserialization to achieve remote code execution. The exploit uses a crafted serialized payload to trigger arbitrary code execution via a malicious class loaded dynamically.

Description

Jooby is a web framework for Java and Kotlin. The pac4j io.jooby.internal.pac4j.SessionStoreImpl#get module deserializes untrusted data. This vulnerability is fixed in 2.17.0 (2.x) and 3.7.0 (3.x).

Exploits (1)

nomisec WORKING POC
by cwm1123 · poc
https://github.com/cwm1123/CVE-2025-31129

This repository contains a proof-of-concept exploit for CVE-2025-31129, leveraging Apache Commons Collections deserialization to achieve remote code execution. The exploit uses a crafted serialized payload to trigger arbitrary code execution via a malicious class loaded dynamically.

Classification
Working Poc 95%
Attack Type
Deserialization
Complexity
Moderate
Reliability
Reliable
Target: Apache Commons Collections (version not specified)
No auth needed
Prerequisites: Vulnerable version of Apache Commons Collections · Ability to send serialized payload to target
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Scores

CVSS v3 8.8
EPSS 0.0057
EPSS Percentile 42.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-502
Status published
Products (3)
io.jooby/jooby-pac4j 0 - 2.17.0Maven
jooby-project/jooby < 2.17.0
jooby-project/jooby >= 3.0.0.M1, < 3.7.0
Published Mar 31, 2025
Tracked Since Feb 18, 2026