Sofastack Sofarpc
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Sofastack Sofarpc.
By the Year
In 2026 there have been 0 vulnerabilities in Sofastack Sofarpc. Sofarpc did not have any published security vulnerabilities last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 0 | 0.00 |
| 2025 | 0 | 0.00 |
| 2024 | 1 | 9.80 |
| 2023 | 1 | 9.80 |
It may take a day or so for new Sofarpc vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Sofastack Sofarpc Security Vulnerabilities
SOFARPC Hessian deserialization bypass, blacklist evaded remediated in 5.12.0
CVE-2024-23636
9.8 - Critical
- January 23, 2024
SOFARPC is a Java RPC framework. SOFARPC defaults to using the SOFA Hessian protocol to deserialize received data, while the SOFA Hessian protocol uses a blacklist mechanism to restrict deserialization of potentially dangerous classes for security protection. But, prior to version 5.12.0, there is a gadget chain that can bypass the SOFA Hessian blacklist protection mechanism, and this gadget chain only relies on JDK and does not rely on any third-party components. Version 5.12.0 fixed this issue by adding a blacklist. SOFARPC also provides a way to add additional blacklists. Users can add a class like `-Drpc_serialize_blacklist_override=org.apache.xpath.` to avoid this issue.
Marshaling, Unmarshaling
SofaRPC RCE <=5.10.0 via JNDI Injection
CVE-2023-41331
9.8 - Critical
- September 12, 2023
SOFARPC is a Java RPC framework. Versions prior to 5.11.0 are vulnerable to remote command execution. Through a carefully crafted payload, an attacker can achieve JNDI injection or system command execution. In the default configuration of the SOFARPC framework, a blacklist is used to filter out dangerous classes encountered during the deserialization process. However, the blacklist is not comprehensive, and an actor can exploit certain native JDK classes and common third-party packages to construct gadget chains capable of achieving JNDI injection or system command execution attacks. Version 5.11.0 contains a fix for this issue. As a workaround, users can add `-Drpc_serialize_blacklist_override=javax.sound.sampled.AudioFileFormat` to the blacklist.
EL Injection
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Sofastack Sofarpc or by Sofastack? Click the Watch button to subscribe.
