CVE-2020-24164

Published: Sep 11, 2020Modified: Jun 17, 2026

7.8

Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitability: 1.8 / Impact: 5.9

Source: NVD

Description

A deserialization flaw is present in Taoensso Nippy before 2.14.2. In some circumstances, it is possible for an attacker to create a malicious payload that, when deserialized, will allow arbitrary code to be executed. This occurs because there is automatic use of the Java Serializable interface.

Affected (1)

Products: Taoensso: Nippy

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Taoensso Nippy	Before 2.14.2

Related CWEs

Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

References (2)

https://github.com/ptaoussanis/nippy/issues/130

Source: cve@mitre.org

Third Party Advisory

https://github.com/ptaoussanis/nippy/issues/130

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.