The OWASP ZAP ViewState add-on contains an insecure deserialization flaw that could allow an attacker to achieve arbitrary code execution on the host system.

This is an insecure deserialization vulnerability occurring when the add-on processes improperly sanitized input. An attacker who controls a proxied web server can inject a malicious serialized Java object into the javax processing flow, resulting in remote code execution.

Successful exploitation allows an attacker to execute arbitrary code with the privileges of the ZAP process, potentially leading to a full system compromise. With a CVSS score of 8.8, this high-severity vulnerability represents a significant risk to security testing environments where ZAP is utilized, potentially exposing sensitive internal vulnerability data and credentials.

Immediate Action: Update the ZAP ViewState add-on to version 4 or later immediately.

Proactive Monitoring: Review ZAP logs for suspicious object serialization patterns or unexpected process execution spawned by the ZAP application.

Compensating Controls: Ensure that ZAP instances are isolated from sensitive production networks and that access to the proxy interface is restricted to trusted security personnel only.

Public Exploit Available: false

Security teams utilizing ZAP must prioritize upgrading the ViewState add-on. Given the severity of arbitrary code execution vulnerabilities, failing to patch this component could lead to the compromise of the testing platform and any sensitive data handled during security assessment activities.