VYPR
← All advisories
High severityOSV Advisory· Published Dec 19, 2025· Updated Feb 26, 2026

Apache NiFi: Deserialization of Untrusted Data in GetAsanaObject Processor

CVE-2025-66524

Description

Apache NiFi 1.20.0 through 2.6.0 include the GetAsanaObject Processor, which requires integration with a configurable Distribute Map Cache Client Service for storing and retrieving state information. The GetAsanaObject Processor used generic Java Object serialization and deserialization without filtering. Unfiltered Java object deserialization does not provide protection against crafted state information stored in the cache server configured for GetAsanaObject. Exploitation requires an Apache NiFi system running with the GetAsanaObject Processor, and direct access to the configured cache server. Upgrading to Apache NiFi 2.7.0 is the recommended mitigation, which replaces Java Object serialization with JSON serialization. Removing the GetAsanaObject Processor located in the nifi-asana-processors-nar bundle also prevents exploitation.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.apache.nifi:nifi-asana-processorsMaven
>= 1.20.0, < 2.7.02.7.0

Affected products

1
  • Apache/NifiOSV
    Range: docker/nifi-1.2.0, nifi-0.2.0-incubating-RC1, nifi-0.4.1, …

Patches

1
1c081c15544b

NIFI-15292 Refactored State Serialization in GetAsanaObject

https://github.com/apache/nifiexceptionfactoryDec 4, 2025via ghsa
commit
6 files changed · +201 107
  • nifi-extension-bundles/nifi-asana-bundle/nifi-asana-processors/src/main/java/org/apache/nifi/processors/asana/GetAsanaObject.java+2 2 modified
    @@ -210,8 +210,8 @@ public class GetAsanaObject extends AbstractProcessor {
             REL_UPDATED,
             REL_REMOVED
     );
-    protected static final GenericObjectSerDe<String> STATE_MAP_KEY_SERIALIZER = new GenericObjectSerDe<>();
-    protected static final GenericObjectSerDe<Map<String, String>> STATE_MAP_VALUE_SERIALIZER = new GenericObjectSerDe<>();
+    protected static final StringSerDe STATE_MAP_KEY_SERIALIZER = new StringSerDe();
+    protected static final MapStringSerDe STATE_MAP_VALUE_SERIALIZER = new MapStringSerDe();
 
     private volatile AsanaObjectFetcher objectFetcher;
     private volatile Integer batchSize;
  • nifi-extension-bundles/nifi-asana-bundle/nifi-asana-processors/src/main/java/org/apache/nifi/processors/asana/MapStringSerDe.java+66 0 added
    @@ -0,0 +1,66 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.processors.asana;
+
+import com.google.gson.Gson;
+import com.google.gson.reflect.TypeToken;
+import org.apache.nifi.distributed.cache.client.Deserializer;
+import org.apache.nifi.distributed.cache.client.Serializer;
+import org.apache.nifi.distributed.cache.client.exception.DeserializationException;
+import org.apache.nifi.distributed.cache.client.exception.SerializationException;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.io.InputStreamReader;
+import java.io.OutputStream;
+import java.io.OutputStreamWriter;
+import java.io.Reader;
+import java.io.Writer;
+import java.nio.charset.Charset;
+import java.nio.charset.StandardCharsets;
+import java.util.Map;
+
+public class MapStringSerDe implements Serializer<Map<String, String>>, Deserializer<Map<String, String>> {
+
+    private static final Charset CHARACTER_SET = StandardCharsets.UTF_8;
+
+    private static final Gson GSON = new Gson();
+
+    private static final TypeToken<Map<String, String>> MAP_TYPE_TOKEN = new TypeToken<>() { };
+
+    @Override
+    public Map<String, String> deserialize(final byte[] value) throws DeserializationException, IOException {
+        if (value == null || value.length == 0) {
+            return null;
+        }
+
+        try (Reader reader = new InputStreamReader(new ByteArrayInputStream(value), CHARACTER_SET)) {
+            return GSON.fromJson(reader, MAP_TYPE_TOKEN);
+        }
+    }
+
+    @Override
+    public void serialize(final Map<String, String> value, final OutputStream output) throws SerializationException, IOException {
+        if (value == null) {
+            return;
+        }
+
+        try (Writer writer = new OutputStreamWriter(output, CHARACTER_SET)) {
+            GSON.toJson(value, writer);
+        }
+    }
+}
  • nifi-extension-bundles/nifi-asana-bundle/nifi-asana-processors/src/main/java/org/apache/nifi/processors/asana/StringSerDe.java+13 19 renamed
    @@ -16,42 +16,36 @@
  */
 package org.apache.nifi.processors.asana;
 
-import java.io.ByteArrayInputStream;
-import java.io.IOException;
-import java.io.ObjectInputStream;
-import java.io.ObjectOutputStream;
-import java.io.OutputStream;
 import org.apache.nifi.distributed.cache.client.Deserializer;
 import org.apache.nifi.distributed.cache.client.Serializer;
 import org.apache.nifi.distributed.cache.client.exception.DeserializationException;
 import org.apache.nifi.distributed.cache.client.exception.SerializationException;
 
-public class GenericObjectSerDe <V> implements Serializer<V>, Deserializer<V> {
+import java.io.IOException;
+import java.io.OutputStream;
+import java.nio.charset.Charset;
+import java.nio.charset.StandardCharsets;
+
+public class StringSerDe implements Serializer<String>, Deserializer<String> {
+
+    private static final Charset CHARACTER_SET = StandardCharsets.UTF_8;
 
     @Override
-    @SuppressWarnings("unchecked")
-    public V deserialize(byte[] value) throws DeserializationException, IOException {
+    public String deserialize(final byte[] value) throws DeserializationException {
         if (value == null || value.length == 0) {
             return null;
         }
 
-        try (ByteArrayInputStream bis = new ByteArrayInputStream(value)) {
-            try (ObjectInputStream objectInputStream = new ObjectInputStream(bis)) {
-                return (V) objectInputStream.readObject();
-            } catch (ClassNotFoundException e) {
-                throw new DeserializationException(e);
-            }
-        }
+        return new String(value, CHARACTER_SET);
     }
 
     @Override
-    public void serialize(V value, OutputStream output) throws SerializationException, IOException {
+    public void serialize(final String value, final OutputStream output) throws SerializationException, IOException {
         if (value == null) {
             return;
         }
 
-        try (ObjectOutputStream objectOutputStream = new ObjectOutputStream(output)) {
-            objectOutputStream.writeObject(value);
-        }
+        final byte[] bytes = value.getBytes(CHARACTER_SET);
+        output.write(bytes);
     }
 }
  • nifi-extension-bundles/nifi-asana-bundle/nifi-asana-processors/src/test/java/org/apache/nifi/processors/asana/GenericObjectSerDeTest.java+0 86 removed
    @@ -1,86 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements.  See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.nifi.processors.asana;
-
-import static java.util.Collections.singletonMap;
-import static org.junit.jupiter.api.Assertions.assertEquals;
-import static org.junit.jupiter.api.Assertions.assertNull;
-
-import java.io.ByteArrayOutputStream;
-import java.io.IOException;
-import java.util.LinkedHashMap;
-import java.util.Map;
-import org.junit.jupiter.api.Test;
-
-public class GenericObjectSerDeTest {
-
-    @Test
-    public void testString1() throws IOException {
-        String expected = "Lorem Ipsum";
-        String actual = serializeAndThenDeserialize(expected);
-        assertEquals(expected, actual);
-    }
-
-    @Test
-    public void testString2() throws IOException {
-        String expected = "Foo Bar";
-        String actual = serializeAndThenDeserialize(expected);
-        assertEquals(expected, actual);
-    }
-
-    @Test
-    public void testMap1() throws IOException {
-        Map<String, String> expected = singletonMap("Lorem", "Ipsum");
-        Map<String, String> actual = serializeAndThenDeserialize(expected);
-        assertEquals(expected, actual);
-    }
-
-    @Test
-    public void testMap2() throws IOException {
-        Map<String, String> expected = new LinkedHashMap<>();
-        expected.put("Lorem", "Ipsum");
-        expected.put("Foo", "Bar");
-        Map<String, String> actual = serializeAndThenDeserialize(expected);
-        assertEquals(expected, actual);
-    }
-
-    @Test
-    public void testMap3() throws IOException {
-        Map<String, Map<String, Integer>> expected = new LinkedHashMap<>();
-        expected.put("Lorem", singletonMap("Ipsum", 1));
-        expected.put("Foo", singletonMap("Bar", 2));
-        Map<String, Map<String, Integer>> actual = serializeAndThenDeserialize(expected);
-        assertEquals(expected, actual);
-    }
-
-    @Test
-    public void testDeserializingNullInput() throws IOException {
-        assertNull(new GenericObjectSerDe<>().deserialize(null));
-    }
-
-    @Test
-    public void testDeserializingEmptyByteArray() throws IOException {
-        assertNull(new GenericObjectSerDe<>().deserialize(new byte[0]));
-    }
-
-    private <V> V serializeAndThenDeserialize(V value) throws IOException {
-        try (ByteArrayOutputStream bos = new ByteArrayOutputStream()) {
-            new GenericObjectSerDe<V>().serialize(value, bos);
-            return new GenericObjectSerDe<V>().deserialize(bos.toByteArray());
-        }
-    }
-}
  • nifi-extension-bundles/nifi-asana-bundle/nifi-asana-processors/src/test/java/org/apache/nifi/processors/asana/MapStringSerDeTest.java+66 0 added
    @@ -0,0 +1,66 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.processors.asana;
+
+import org.junit.jupiter.api.Test;
+
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.util.Map;
+
+import static java.util.Collections.singletonMap;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertNull;
+
+class MapStringSerDeTest {
+
+    private final MapStringSerDe serDe = new MapStringSerDe();
+
+    @Test
+    void testSingletonMap() throws IOException {
+        final Map<String, String> expected = singletonMap("Lorem", "Ipsum");
+        final Map<String, String> actual = serializeAndThenDeserialize(expected);
+        assertEquals(expected, actual);
+    }
+
+    @Test
+    void testMultipleMap() throws IOException {
+        final Map<String, String> expected = Map.of(
+                "Lorel", "Ipsum",
+                "Foo", "Bar"
+        );
+        final Map<String, String> actual = serializeAndThenDeserialize(expected);
+        assertEquals(expected, actual);
+    }
+
+    @Test
+    void testDeserializingNullInput() throws IOException {
+        assertNull(serDe.deserialize(null));
+    }
+
+    @Test
+    void testDeserializingEmptyByteArray() throws IOException {
+        assertNull(serDe.deserialize(new byte[0]));
+    }
+
+    private Map<String, String> serializeAndThenDeserialize(final Map<String, String> value) throws IOException {
+        try (ByteArrayOutputStream outputStream = new ByteArrayOutputStream()) {
+            serDe.serialize(value, outputStream);
+            return serDe.deserialize(outputStream.toByteArray());
+        }
+    }
+}
  • nifi-extension-bundles/nifi-asana-bundle/nifi-asana-processors/src/test/java/org/apache/nifi/processors/asana/StringSerDeTest.java+54 0 added
    @@ -0,0 +1,54 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.processors.asana;
+
+import org.junit.jupiter.api.Test;
+
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertNull;
+
+class StringSerDeTest {
+
+    private final StringSerDe serDe = new StringSerDe();
+
+    @Test
+    void testString() throws IOException {
+        final String expected = StringSerDe.class.getName();
+        final String actual = serializeAndThenDeserialize(expected);
+        assertEquals(expected, actual);
+    }
+
+    @Test
+    void testDeserializingNullInput() {
+        assertNull(serDe.deserialize(null));
+    }
+
+    @Test
+    void testDeserializingEmptyByteArray() {
+        assertNull(serDe.deserialize(new byte[0]));
+    }
+
+    private String serializeAndThenDeserialize(final String value) throws IOException {
+        try (ByteArrayOutputStream outputStream = new ByteArrayOutputStream()) {
+            serDe.serialize(value, outputStream);
+            return serDe.deserialize(outputStream.toByteArray());
+        }
+    }
+}

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.