CVE-2024-22871
Description
An issue in Clojure versions 1.20 to 1.12.0-alpha5 allows an attacker to cause a denial of service (DoS) via the clojure.core$partial$fn__5920 function.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2024-22871: A denial of service vulnerability in Clojure versions 1.20 to 1.12.0-alpha5 allows remote attackers to cause resource exhaustion via deserialization triggering recursive hash calculations.
Vulnerability
Overview CVE-2024-22871 is a denial of service (DoS) vulnerability affecting Clojure versions 1.20 through 1.12.0-alpha5 [1][2]. The issue resides in the clojure.core$partial$fn__5920 function and stems from improper handling of specially crafted objects during deserialization, leading to uncontrolled hashcode computations [3].
Exploitation
Mechanism An attacker can exploit this vulnerability by providing malicious serialized data to a Clojure application that deserializes user-controlled input. The proof-of-concept demonstrates that by constructing objects with manipulated hash values (e.g., setting _hash to 1), the application enters a recursive hash calculation loop, exhausting CPU resources [2][3]. No authentication is required if the application exposes deserialization endpoints to unauthenticated users.
Impact
Successful exploitation results in a denial of service condition, rendering the affected service unresponsive due to excessive CPU consumption. The vulnerability can be triggered remotely without special privileges, making it a significant availability risk for systems running the affected Clojure versions [2][3].
Mitigation
As of the publication date, the vulnerability has not been patched; it affects Clojure up to version 1.12.0-alpha5. Users are advised to monitor the Clojure project for security updates and to restrict deserialization of untrusted data as a workaround [1][3].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.clojure:clojureMaven | >= 1.7.0, < 1.11.2 | 1.11.2 |
org.clojure:clojureMaven | >= 1.12.0-alpha1, < 1.12.0-alpha9 | 1.12.0-alpha9 |
Affected products
6- Clojure/Clojuredescription
- osv-coords5 versionspkg:apk/chainguard/cass-config-builderpkg:apk/chainguard/cass-config-builder-11-jre-bcfipspkg:apk/wolfi/cass-config-builderpkg:maven/org.clojure/clojurepkg:rpm/opensuse/clojure&distro=openSUSE%20Tumbleweed
< 1.0.8-r3+ 4 more
- (no CPE)range: < 1.0.8-r3
- (no CPE)range: < 1.0.8-r1
- (no CPE)range: < 1.0.8-r3
- (no CPE)range: >= 1.7.0, < 1.11.2
- (no CPE)range: < 1.11.2.1446-1.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
13- github.com/advisories/GHSA-vr64-r9qj-h27fghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/25FKUOYXQZGGJMFUM5HJABWMIX2TILRV/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SWWK2SO2MH4SXPO6L444MM6LHVLVFULV/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YFPGUDXMW6OXKIDGCOZFEAXO74VQIB2T/mitrevendor-advisory
- nvd.nist.gov/vuln/detail/CVE-2024-22871ghsaADVISORY
- clojure.atlassian.net/browse/CLJ-2839ghsaWEB
- hackmd.io/%40fe1w0/rymmJGidaghsaWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/25FKUOYXQZGGJMFUM5HJABWMIX2TILRVghsaWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SWWK2SO2MH4SXPO6L444MM6LHVLVFULVghsaWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YFPGUDXMW6OXKIDGCOZFEAXO74VQIB2TghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/25FKUOYXQZGGJMFUM5HJABWMIX2TILRVghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SWWK2SO2MH4SXPO6L444MM6LHVLVFULVghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YFPGUDXMW6OXKIDGCOZFEAXO74VQIB2TghsaWEB
News mentions
0No linked articles in our index yet.