{"id":"CVE-2022-25647","details":"The package com.google.code.gson:gson before 2.8.9 are vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to DoS attacks.","aliases":["GHSA-4jrv-ppp4-jm57"],"modified":"2026-04-09T08:44:35.493215Z","published":"2022-05-01T16:15:08.603Z","related":["CGA-jm4p-hj3x-cvjc","MGASA-2022-0340","SNYK-JAVA-COMGOOGLECODEGSON-1730327","SUSE-SU-2022:2044-1","SUSE-SU-2022:3706-1","openSUSE-SU-2024:12040-1"],"references":[{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2022/05/msg00015.html"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2022/09/msg00009.html"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20220901-0009/"},{"type":"ADVISORY","url":"https://snyk.io/vuln/SNYK-JAVA-COMGOOGLECODEGSON-1730327"},{"type":"ADVISORY","url":"https://www.debian.org/security/2022/dsa-5227"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpujul2022.html"},{"type":"FIX","url":"https://github.com/google/gson/pull/1991"},{"type":"FIX","url":"https://github.com/google/gson/pull/1991/commits"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/google/gson","events":[{"introduced":"d260faffee51cb3b5d04a2a6fc09f079e2ae990f"},{"fixed":"6a368d89da37917be7714c3072b8378f4120110a"}],"database_specific":{"versions":[{"introduced":"2.2.3"},{"fixed":"2.8.9"}]}},{"type":"GIT","repo":"https://github.com/graalvm/graalvm-ce-builds","events":[{"introduced":"0"},{"last_affected":"283b613ae93663c6d5d66ef63e43e9dbc8bfffd8"},{"introduced":"0"},{"last_affected":"ac51a376132442367913ff0a3937b77f61ce58fe"},{"introduced":"0"},{"last_affected":"3f79371c56c7b91e624de14e3ae096d273f5d020"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"20.3.6"},{"introduced":"0"},{"last_affected":"21.3.2"},{"introduced":"0"},{"last_affected":"22.1.0"}]}}],"versions":["vm-19.3.0","vm-19.3.0.2","vm-19.3.1","vm-20.0.0","vm-20.3.5","vm-20.3.6","vm-21.3.1","vm-21.3.2","vm-22.0.0.2","vm-22.1.0","vm-ce-21.2.0"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"9.0"}]},{"events":[{"introduced":"0"},{"last_affected":"10.0"}]},{"events":[{"introduced":"0"},{"last_affected":"11.0"}]},{"events":[{"introduced":"0"},{"last_affected":"8.0.8.2.0"}]},{"events":[{"introduced":"0"},{"last_affected":"8.0.8.3.0"}]},{"events":[{"introduced":"0"},{"last_affected":"18.0"}]},{"events":[{"introduced":"0"},{"last_affected":"19.1"}]}],"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-25647.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}