Conversation
buherator
buherator
[oss-security] CVE-2025-48734: Apache Commons BeanUtils: PropertyUtilsBean does not suppresses an enum's declaredClass property by default
https://www.openwall.com/lists/oss-security/2025/05/28/6
I wonder if the now restricted behavior is useful for #deserialization gadgets (I couldn't find references to declaredClass abuse, but haven't finished my coffee yet either...)?
https://www.openwall.com/lists/oss-security/2025/05/28/6
I wonder if the now restricted behavior is useful for #deserialization gadgets (I couldn't find references to declaredClass abuse, but haven't finished my coffee yet either...)?
0
0
1