```md ## Vulnerability Key Information ### Title Nutz Framework NutzBoot 2.6.0-SNAPSHOT Code Execution (Unauthenticated Java Deserialization) ### Description - An exposed LiteRPC HTTP endpoint allows arbitrary deserialization of attacker-controlled data. The server expects the following headers: LiteRpc-Klass, LiteRpc-Method, and LiteRpc-Serializer. If all three are present, the endpoint looks up the serializer by name and blindly calls `serializer.read(req.getInputStream())`, trusting the serializer provided by the client. - LiteRPC defaults to registering `JdkRpcSerializer`, which is selected when the client sets `LiteRpc-Serializer: jdk`. The serializer wraps the request body into an `ObjectInputStream` and calls `readObject()`. No filtering occurs before the object graph is created, meaning any available gadget chain can be triggered. - The issue is amplified by Loach service discovery. Endpoints `/loach/v1/list` and `/loach/v1/list/forlook` expose metadata containing each registered RPC interface and its hash method signature under `LiteRpc.RPC_REG_KEY`. This allows attackers to enumerate valid values for `LiteRpc-Klass` and `LiteRpc-Method` without guessing, ensuring the call reaches a real RpcInvoker and the deserialization code path executes. - The `litepc/endpoint` and Loach list endpoints do not enforce authentication or network restrictions in the code, resulting in an unauthenticated remote code execution vulnerability. ### Additional Information - **Source**: https://github.com/Xzzz111/exps/blob/main/archives/nutzboot-RCE-1/report.md - **Submitter**: sh7err03 (UID 92418) - **Submission Date**: November 10, 2025, 11:15 AM - **Review Date**: November 30, 2025, 3:13 PM - **Status**: Accepted - **VulDB Entry**: [333815](https://www.vuldb.com/) - [nutzam NutzBoot up to 2.6.0-SNAPSHOT LiteRpc-Serializer HttpServletRpcEndpoint.java getInputStream deserialization] - **Points**: 20 ```