Bypass of the fix for CVE-2019-0195
Description
A critical unauthenticated remote code execution vulnerability was found all recent versions of Apache Tapestry. The affected versions include 5.4.5, 5.5.0, 5.6.2 and 5.7.0. The vulnerability I have found is a bypass of the fix for CVE-2019-0195. Recap: Before the fix of CVE-2019-0195 it was possible to download arbitrary class files from the classpath by providing a crafted asset file URL. An attacker was able to download the file AppModule.class by requesting the URL http://localhost:8080/assets/something/services/AppModule.class which contains a HMAC secret key. The fix for that bug was a blacklist filter that checks if the URL ends with .class, .properties or .xml. Bypass: Unfortunately, the blacklist solution can simply be bypassed by appending a / at the end of the URL: http://localhost:8080/assets/something/services/AppModule.class/ The slash is stripped after the blacklist check and the file AppModule.class is loaded into the response. This class usually contains the HMAC secret key which is used to sign serialized Java objects. With the knowledge of that key an attacker can sign a Java gadget chain that leads to RCE (e.g. CommonsBeanUtils1 from ysoserial). Solution for this vulnerability: * For Apache Tapestry 5.4.0 to 5.6.1, upgrade to 5.6.2 or later. * For Apache Tapestry 5.7.0, upgrade to 5.7.1 or later.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Tapestry versions 5.4.5 to 5.7.0 contain an unauthenticated remote code execution vulnerability due to bypass of a fix for CVE-2019-0195.
Vulnerability
A critical unauthenticated remote code execution vulnerability exists in Apache Tapestry versions 5.4.5, 5.5.0, 5.6.2, and 5.7.0. The vulnerability is a bypass of the fix for CVE-2019-0195, where a blacklist filter blocking .class, .properties, and .xml file extensions can be circumvented by appending a trailing slash to the URL. This allows an attacker to download arbitrary class files from the classpath, such as AppModule.class, which contains an HMAC secret key. The blacklist filter fails because the trailing slash is stripped after the filter check. [1][3]
Exploitation
An attacker can exploit this vulnerability by sending a crafted HTTP request to the Tapestry application's asset URL, e.g., http://localhost:8080/assets/something/services/AppModule.class/. The trailing slash bypasses the blacklist, and the server serves the AppModule.class file. With the HMAC secret key obtained from that file, the attacker can sign a malicious Java serialized object (e.g., using CommonsBeanUtils1 from ysoserial) and send it to the server, resulting in remote code execution. No authentication is required. [1][3]
Impact
Successful exploitation allows an unauthenticated attacker to achieve remote code execution on the Tapestry server with the privileges of the application. The attacker can execute arbitrary Java code, potentially leading to full compromise of the application and underlying system. The attack does not require any prior access or user interaction. [1]
Mitigation
For Apache Tapestry versions 5.4.0 to 5.6.1, upgrade to version 5.6.2 or later. For version 5.7.0, upgrade to 5.7.1 or later. These patched versions properly ignore trailing slashes in asset URLs. [1][2][3] No workaround is available aside from upgrading.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.tapestry:tapestry-coreMaven | >= 5.4.0, < 5.6.3 | 5.6.3 |
org.apache.tapestry:tapestry-coreMaven | >= 5.7.0, < 5.7.1 | 5.7.1 |
Affected products
2- Apache Software Foundation/Apache Tapestryv5Range: Apache Tapestry 5.5.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-mj8x-cpr8-x39hghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-27850ghsaADVISORY
- www.openwall.com/lists/oss-security/2021/04/15/1ghsamailing-listx_refsource_MLISTWEB
- issues.apache.org/jira/browse/TAP5-2663ghsaWEB
- lists.apache.org/thread.html/r237ff7f286bda31682c254550c1ebf92b0ec61329b32fbeb2d1c8751%40%3Cusers.tapestry.apache.org%3Eghsax_refsource_MISCWEB
- security.netapp.com/advisory/ntap-20210528-0002ghsaWEB
- security.netapp.com/advisory/ntap-20210528-0002/mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.