关联漏洞
介绍
# CVE-2025-30065
This repository illustrates how to exploit CVE-2025-30065 and achieve remote class instantiation and trigger a
network request from within the victim application i.e the JVM thereby achieving SSRF.
The generated parquet in [Malicious.java](src%2Fmain%2Fjava%2Fcom%2Fevil%2FMalicious.java) assumes that the class [RCEPayload.java](src%2Fmain%2Fjava%2Fcom%2Fevil%2FRCEPayload.java)
is present in the classpath which is not realistic. You can trigger that PoC by executing [Reader.java](src%2Fmain%2Fjava%2Fcom%2Fvictim%2FReader.java).
[MaliciousSSRF.java](src%2Fmain%2Fjava%2Fcom%2Fevil%2FMaliciousSSRF.java) is more feasible (from an attacker perspective) and triggers a network connection which could be internal or external.
One could also find other gadgets to achieve RCE (what is tricky is to find an instructor accepting a string as arg and leading to a RCE it is not like plain java deser).
Similarly, PoC can be executed using [ReaderSSRF.java](src%2Fmain%2Fjava%2Fcom%2Fvictim%2FReaderSSRF.java).
For more details about the internal of the vulnerability and the fix, you can have a look at my blogpost: www.deep-kondah.com/parquet-under-fire-a-technical-analysis-of-cve-2025-30065
文件快照
[4.0K] /data/pocs/4235d4975e9b300a67f55f880df425e67ec977b7
├── [ 147] DISCLAIMER.md
├── [ 83] exploit.html
├── [4.0K] images
│ ├── [ 26K] image.png
│ └── [ 52K] image-ssrf.png
├── [1.5K] pom.xml
├── [1.3K] README.md
└── [4.0K] src
└── [4.0K] main
└── [4.0K] java
└── [4.0K] com
├── [4.0K] evil
│ ├── [1.4K] GenerateMaliciousParquet.java
│ ├── [1.5K] GenerateMaliciousParquetSSRF.java
│ └── [ 509] RCEPayload.java
└── [4.0K] victim
├── [ 558] Reader.java
└── [ 567] ReaderSSRF.java
7 directories, 11 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。