A critical deserialization vulnerability in Spring Statemachine allows remote attackers to execute arbitrary code within the application JVM.

The software uses Kryo-based persistence backends (JPA, MongoDB, Redis, and ZooKeeper) to process state-machine contexts without enforcing a class allowlist. This insecure deserialization of untrusted data (CWE-502) allows attackers to manipulate serialized objects to achieve remote code execution.

The ability for an attacker to execute arbitrary code within the application JVM represents a critical risk. With a CVSS score of 8.8, this vulnerability could lead to total system compromise, unauthorized data access, and the deployment of malicious payloads, jeopardizing the confidentiality and integrity of the entire application environment.

Immediate Action: Upgrade to the latest patched version of Spring Statemachine immediately to implement class allowlisting.

Proactive Monitoring: Review application logs for unexpected deserialization errors or unusual class instantiation attempts. Monitor JVM performance and outbound network connections for signs of unauthorized activity.

Compensating Controls: Implement strict network segmentation to limit access to persistence backends (Redis, MongoDB, etc.) and utilize WAF rules to inspect traffic for serialized object payloads.

Public Exploit Available: false

This vulnerability is highly critical due to the potential for remote code execution. Organizations utilizing Spring Statemachine must treat this as a high-priority incident and apply vendor-provided patches as soon as they become available.