Spring Security Advisories

CVE-2016-2173 Remote Code Execution in Spring AMQP

CRITICAL | APRIL 11, 2016 | CVE-2016-2173


The class org.springframework.core.serializer.DefaultDeserializer does not validate the deserialized object against a whitelist. By supplying a crafted serialized object like Chris Frohoff's Commons Collection gadget, remote code execution can be achieved.

Affected Spring Products and Versions

  • 1.0.0 to 1.5.4


Users of affected versions should apply the following mitigation:

  • The cited class (DefaultDeserializer) is not registered by any Spring application context automatically; users should take care when using this class with objects from untrusted sources in the same way they should when using ObjectInputStream directly.
  • Spring AMQP has an (optional) message converter that can use this deserializer; starting with version 1.5.5, that converter can now be configured with a whitelist of acceptable packages/classes that can be deserialized.
  • Spring AMQP also has a SimpleMessageConverter which *is* configured by default; it doesn't use the deserializer, but does use ObjectInputStream internally; it, too, can now be configured with a whitelist of packages/classes.
  • It is recommended that users do not use Java serialization when using RabbitMQ in an environment where untrusted data might be received; if they do, they should configure the converter with the allowable objects.
  • Users that might be exposed to this vulnerability should upgrade to Spring AMQP 1.5.5 or higher and configure the whitelist.


Vulnerability discovery by Matthias Kaiser of Code White (www.code-white.com)


  • 2016-Apr-11: Initial vulnerability report published.

Get ahead

VMware offers training and certification to turbo-charge your progress.

Learn more

Get support

Spring Runtime offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.

Learn more

Upcoming events

Check out all the upcoming events in the Spring community.

View all