Deserialization of Untrusted Data
Description
The package com.google.code.gson:gson before 2.8.9 are vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to DoS attacks.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Gson before 2.8.9 allows denial of service via deserialization of untrusted data using the writeReplace() method in internal classes.
Vulnerability
Gson versions before 2.8.9 are vulnerable to a deserialization of untrusted data issue via the writeReplace() method in certain internal classes [1][3]. This vulnerability affects the com.google.code.gson:gson package and can be triggered when an attacker provides a crafted serialized object that is deserialized by the application [3]. The vulnerable internal classes can be used in a deserialization attack path that may lead to denial of service [1][3].
Exploitation
An attacker who can supply a malicious serialized Java object to an endpoint that uses Gson for deserialization can exploit this vulnerability [3]. The attack requires no authentication if the application accepts untrusted input over the network [3]. By sending a specially crafted object that leverages the writeReplace() method in internal Gson classes, the attacker can trigger excessive resource consumption or cause the application to crash [1][3]. The complexity of exploitation is low, as the vulnerable code path can be reached with basic deserialization operations [3].
Impact
Successful exploitation results in a denial of service (DoS) condition [1][3]. The attacker can cause the application to become unresponsive or crash, affecting availability. No file disclosure, remote code execution, or privilege escalation is indicated by the available references [1][3]. The impact is limited to availability, and the severity is considered medium (CVSS 5.5) [1].
Mitigation
Upgrade com.google.code.gson:gson to version 2.8.9 or higher [3]. The fix was implemented in pull request #1991 on the official GitHub repository, which prevents the deserialization of internal classes [4]. As of the publication date (2022-05-01), the fix is available and should be applied to any affected deployments [1][3]. If upgrading is not immediately possible, ensure that untrusted data is not deserialized, or use a secure deserialization library [3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.google.code.gson:gsonMaven | < 2.8.9 | 2.8.9 |
Affected products
116- google.code.gson/gsondescription
- osv-coords115 versionspkg:apk/chainguard/trinopkg:apk/chainguard/trino-configpkg:apk/chainguard/trino-oci-entrypointpkg:apk/chainguard/trino-plugin-accumulopkg:apk/chainguard/trino-plugin-atoppkg:apk/chainguard/trino-plugin-bigquerypkg:apk/chainguard/trino-plugin-blackholepkg:apk/chainguard/trino-plugin-cassandrapkg:apk/chainguard/trino-plugin-clickhousepkg:apk/chainguard/trino-plugin-delta-lakepkg:apk/chainguard/trino-plugin-druidpkg:apk/chainguard/trino-plugin-elasticsearchpkg:apk/chainguard/trino-plugin-example-httppkg:apk/chainguard/trino-plugin-exchange-filesystempkg:apk/chainguard/trino-plugin-exchange-hdfspkg:apk/chainguard/trino-plugin-geospatialpkg:apk/chainguard/trino-plugin-google-sheetspkg:apk/chainguard/trino-plugin-hivepkg:apk/chainguard/trino-plugin-http-event-listenerpkg:apk/chainguard/trino-plugin-hudipkg:apk/chainguard/trino-plugin-icebergpkg:apk/chainguard/trino-plugin-ignitepkg:apk/chainguard/trino-plugin-jmxpkg:apk/chainguard/trino-plugin-kafkapkg:apk/chainguard/trino-plugin-kinesispkg:apk/chainguard/trino-plugin-kudupkg:apk/chainguard/trino-plugin-local-filepkg:apk/chainguard/trino-plugin-mariadbpkg:apk/chainguard/trino-plugin-memorypkg:apk/chainguard/trino-plugin-mlpkg:apk/chainguard/trino-plugin-mongodbpkg:apk/chainguard/trino-plugin-mysqlpkg:apk/chainguard/trino-plugin-mysql-event-listenerpkg:apk/chainguard/trino-plugin-oraclepkg:apk/chainguard/trino-plugin-password-authenticatorspkg:apk/chainguard/trino-plugin-pinotpkg:apk/chainguard/trino-plugin-postgresqlpkg:apk/chainguard/trino-plugin-prometheuspkg:apk/chainguard/trino-plugin-raptor-legacypkg:apk/chainguard/trino-plugin-redispkg:apk/chainguard/trino-plugin-redshiftpkg:apk/chainguard/trino-plugin-resource-group-managerspkg:apk/chainguard/trino-plugin-session-property-managerspkg:apk/chainguard/trino-plugin-singlestorepkg:apk/chainguard/trino-plugin-sqlserverpkg:apk/chainguard/trino-plugin-teradata-functionspkg:apk/chainguard/trino-plugin-thriftpkg:apk/chainguard/trino-plugin-tpcdspkg:apk/chainguard/trino-plugin-tpchpkg:apk/wolfi/trinopkg:apk/wolfi/trino-configpkg:apk/wolfi/trino-oci-entrypointpkg:apk/wolfi/trino-plugin-accumulopkg:apk/wolfi/trino-plugin-atoppkg:apk/wolfi/trino-plugin-bigquerypkg:apk/wolfi/trino-plugin-blackholepkg:apk/wolfi/trino-plugin-cassandrapkg:apk/wolfi/trino-plugin-clickhousepkg:apk/wolfi/trino-plugin-delta-lakepkg:apk/wolfi/trino-plugin-druidpkg:apk/wolfi/trino-plugin-elasticsearchpkg:apk/wolfi/trino-plugin-example-httppkg:apk/wolfi/trino-plugin-exchange-filesystempkg:apk/wolfi/trino-plugin-exchange-hdfspkg:apk/wolfi/trino-plugin-geospatialpkg:apk/wolfi/trino-plugin-google-sheetspkg:apk/wolfi/trino-plugin-hivepkg:apk/wolfi/trino-plugin-http-event-listenerpkg:apk/wolfi/trino-plugin-hudipkg:apk/wolfi/trino-plugin-icebergpkg:apk/wolfi/trino-plugin-ignitepkg:apk/wolfi/trino-plugin-jmxpkg:apk/wolfi/trino-plugin-kafkapkg:apk/wolfi/trino-plugin-kinesispkg:apk/wolfi/trino-plugin-kudupkg:apk/wolfi/trino-plugin-local-filepkg:apk/wolfi/trino-plugin-mariadbpkg:apk/wolfi/trino-plugin-memorypkg:apk/wolfi/trino-plugin-mlpkg:apk/wolfi/trino-plugin-mongodbpkg:apk/wolfi/trino-plugin-mysqlpkg:apk/wolfi/trino-plugin-mysql-event-listenerpkg:apk/wolfi/trino-plugin-oraclepkg:apk/wolfi/trino-plugin-password-authenticatorspkg:apk/wolfi/trino-plugin-pinotpkg:apk/wolfi/trino-plugin-postgresqlpkg:apk/wolfi/trino-plugin-prometheuspkg:apk/wolfi/trino-plugin-raptor-legacypkg:apk/wolfi/trino-plugin-redispkg:apk/wolfi/trino-plugin-redshiftpkg:apk/wolfi/trino-plugin-resource-group-managerspkg:apk/wolfi/trino-plugin-session-property-managerspkg:apk/wolfi/trino-plugin-singlestorepkg:apk/wolfi/trino-plugin-sqlserverpkg:apk/wolfi/trino-plugin-teradata-functionspkg:apk/wolfi/trino-plugin-thriftpkg:apk/wolfi/trino-plugin-tpcdspkg:apk/wolfi/trino-plugin-tpchpkg:maven/com.google.code.gson/gsonpkg:rpm/opensuse/google-gson&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/google-gson&distro=openSUSE%20Leap%2015.4pkg:rpm/suse/google-gson&distro=SUSE%20Enterprise%20Storage%207pkg:rpm/suse/google-gson&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-ESPOSpkg:rpm/suse/google-gson&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/google-gson&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP3pkg:rpm/suse/google-gson&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP4pkg:rpm/suse/google-gson&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-BCLpkg:rpm/suse/google-gson&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/google-gson&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/google-gson&distro=SUSE%20Manager%20Proxy%204.1pkg:rpm/suse/google-gson&distro=SUSE%20Manager%20Retail%20Branch%20Server%204.1pkg:rpm/suse/google-gson&distro=SUSE%20Manager%20Server%204.1pkg:rpm/suse/google-gson&distro=SUSE%20Manager%20Server%20Module%204.1pkg:rpm/suse/google-gson&distro=SUSE%20Manager%20Server%20Module%204.2pkg:rpm/suse/google-gson&distro=SUSE%20Manager%20Server%20Module%204.3
< 439-r0+ 114 more
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 439-r0
- (no CPE)range: < 2.8.9
- (no CPE)range: < 2.8.9-150200.3.6.3
- (no CPE)range: < 2.8.9-150200.3.6.3
- (no CPE)range: < 2.8.9-150200.3.6.3
- (no CPE)range: < 2.8.9-150200.3.6.3
- (no CPE)range: < 2.8.9-150200.3.6.3
- (no CPE)range: < 2.8.9-150200.3.6.3
- (no CPE)range: < 2.8.9-150200.3.6.3
- (no CPE)range: < 2.8.9-150200.3.6.3
- (no CPE)range: < 2.8.9-150200.3.6.3
- (no CPE)range: < 2.8.9-150200.3.6.3
- (no CPE)range: < 2.8.9-150200.3.6.3
- (no CPE)range: < 2.8.9-150200.3.6.3
- (no CPE)range: < 2.8.9-150200.3.6.3
- (no CPE)range: < 2.8.9-150200.3.7.1
- (no CPE)range: < 2.8.9-150200.3.6.3
- (no CPE)range: < 2.8.9-150200.3.6.3
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
11- github.com/advisories/GHSA-4jrv-ppp4-jm57ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-25647ghsaADVISORY
- www.debian.org/security/2022/dsa-5227ghsavendor-advisoryx_refsource_DEBIANWEB
- github.com/google/gson/pull/1991ghsax_refsource_MISCWEB
- github.com/google/gson/pull/1991/commitsghsax_refsource_MISCWEB
- lists.debian.org/debian-lts-announce/2022/05/msg00015.htmlghsamailing-listx_refsource_MLISTWEB
- lists.debian.org/debian-lts-announce/2022/09/msg00009.htmlghsamailing-listx_refsource_MLISTWEB
- security.netapp.com/advisory/ntap-20220901-0009ghsaWEB
- security.netapp.com/advisory/ntap-20220901-0009/mitrex_refsource_CONFIRM
- snyk.io/vuln/SNYK-JAVA-COMGOOGLECODEGSON-1730327ghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpujul2022.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.