Apache Tapestry prior to version 4 (EOL) allows RCE though deserialization of untrusted input
Description
Apache Tapestry 3.x allows deserialization of untrusted data, leading to remote code execution. This issue is similar to but distinct from CVE-2020-17531, which applies the the (also unsupported) 4.x version line. NOTE: This vulnerability only affects Apache Tapestry version line 3.x, which is no longer supported by the maintainer. Users are recommended to upgrade to a supported version line of Apache Tapestry.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Tapestry 3.x, an unsupported version line, allows unauthenticated remote code execution via unsafe deserialization of untrusted data in the sp parameter.
Vulnerability
Overview
CVE-2022-46366 is an unsafe deserialization vulnerability in Apache Tapestry version line 3.x. The root cause is that the framework deserializes untrusted data supplied by end-users, specifically through the sp parameter, without proper validation. This issue is similar to CVE-2020-17531, which affects the separate 4.x version line, but requires different modifications to the payload for successful exploitation [1][3].
Exploitation
Details
The vulnerability can be exploited by an unauthenticated attacker who sends a crafted Java serialized object via the sp parameter. Although automated scanners may not identify the issue due to the need for source code analysis to determine the correct payload structure, the attack surface is accessible remotely over the network. The affected component is the Tapestry framework itself, which processes the malicious input during deserialization [3].
Impact
Successful exploitation leads to arbitrary code execution on the underlying server, allowing an attacker to completely compromise the application and its host system. The impact is rated as very high, as the attacker gains full control of the server [3].
Mitigation
Status
Apache Tapestry 3.x is end-of-life (EOL) and no longer supported by the maintainer. As a result, no patch will be released for this vulnerability. Users are strongly recommended to upgrade to a supported version line of Apache Tapestry to remediate the risk [2][3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.tapestry:tapestry-coreMaven | >= 3.0, < 5.0.1 | 5.0.1 |
Affected products
2- Apache Software Foundation/Apache Tapestryv5Range: Apache Tapestry
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-vc39-x7w6-6vj7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-46366ghsaADVISORY
- www.openwall.com/lists/oss-security/2022/12/02/1ghsamailing-listWEB
- github.com/mandiant/Vulnerability-Disclosures/blob/master/2022/MNDT-2022-0041/MNDT-2022-0041.mdghsaWEB
- lists.apache.org/thread/bwn1vjrvz1hq0wbdzj23wz322244swhjghsaWEB
News mentions
0No linked articles in our index yet.