Title: Java Object Deserialization Last modified: December 12, 2022 --- # Java Object Deserialization * Resolved [cdavisgf](https://wordpress.org/support/users/cdavisgf/) * (@cdavisgf) * [3 years, 5 months ago](https://wordpress.org/support/topic/java-object-deserialization/) * One of my clients has run a third party security scan of their site and it came back with a critical error of Java Object Deserialization. It is on the contact form message field. * I’m not sure why CF7 would be deserializing a java object, or if this I’m just looking in the wrong direction, but figured I would reach out for help. * It could be that this is not on the plugin level, but at the server level, but I’m trying to check on all avenues. * Thanks for any help you might be able to give. The relevant portion of the scan is copied below. * ``` Identification PAYLOAD H4sIAOHyi2MAA61WTWwbRRR+Yydexzhtkua /haQpgSSlu02cEooj0vzQ1sUhQTbpwQdrvB6cLfvX2VnqcOCAhMQVwYUjEoID4RAJiYoDEteeewIhISFxQAIO5YBU8fNmdxMnISVuiSXvzL7fmfe+995u /gKtHoe+G/QNqvrCMNVVbjjcEBuv+MxnH3x7 /ov7c29vxSGWgxbPeJPlIaU7lks5FQ4X0JuXmprU1BZ36Nm6CwAxNHzW4TWVulRfZyrqWY7tqRVGbangqQu4a2j9+NG7P3sjH1+NQWyPl5vwFpA8JF3uuIyLDQFdoVeT//uHobXtrJgZQdwV0OL5wfbEa+jWYd6sFrxVHR8+jJdXzbXWXwzrF86iGLRi3qanWPVPoquC0rhaZ5ZpUMC+Ha9v1lW /szc8ycUjkoL1s2FVmi5d9q8J4Do6VUcH2TCZySK+XIFWubAimO1XmCYiXSgslSJR1k3r42lXaFYZFScvmobVsU4vJkLXkobO8/wZ7M9aghxmDv /Hn88DRS38O9NRq34WxkNlEeqy0sHmv749EsvhDRE5M3/nrq6+RnYFMCuIwosCkAqMKPEWgw2PcoOYa4x5G/9XcEgFyjUD7IqZCUFusUdNnrZ8Pv3/vve9 /e4FAYtawDYGb+Nj4GoGWRbw1geN5w2ZhfIoyWwSz7+holqJxfI+ILWLd8AicKAi /UoxiuEo3TIdWCaRzts14ECKGQhfyG54THk5zQxkvDMgVWq0x4T15gJUsgbYgOa853CLAx /KIAQ0xoCEGtBADWoABbRsDWoABbWllOVs6UNoyG7LhebDCuFaItlSi9iq1qybjWRmSZNXRfQvxQuDcQ7lH1fXQDl5 /4f8fhkDqxbrO3KCsFHiawCcPF49DT1AVlrZUXJ6vG14OSUFXOZoYGpE5iYNHOQUBJYolgfmjiGTB8bnOLhsSxukIgaos0jSk4DEFxghkHgGwBC41mxHu28KwmDZf8RD/mJuF0xDDfoY+8D8IrZDAVZF9EJIBDVODzzRSNFwJrq0TXwLZCkTa8ZkIiCocw2c6FIDjMIUrtinoRimpPCcniqTtV8wEisMhM1KUux7oDfgE+qAfNQZwH55Rmj0Zmc0/qPZnrELzvOv6bF6KHTArWaqeNBAmeaMLUH9CuVG/jx8sA6PKyW/hPFpHkUZ/ehuCvgnwie3buy2yuzi19Ocawo9xaBukx0e/0f0kkTnWYKAAA= PROOF The scanner injected the following delays in the payloads : [3, 5, 8] (seconds) and noticed the following response times : [3.491512, 5.495505, 8.050464] (seconds). OUTPUT The scanner was able to inject a crafted Java Object which was deserialized by the remote application by using the Apache Commons BeanUtils gadget. The payload used can be viewed in the HTTP request provided in attachment. ``` Viewing 2 replies - 1 through 2 (of 2 total) * Plugin Author [Takayuki Miyoshi](https://wordpress.org/support/users/takayukister/) * (@takayukister) * [3 years, 5 months ago](https://wordpress.org/support/topic/java-object-deserialization/#post-16283447) * The Contact Form 7 plugin does not use Java. I guess the security scan report has nothing to do with WordPress or its plugins. * Thread Starter [cdavisgf](https://wordpress.org/support/users/cdavisgf/) * (@cdavisgf) * [3 years, 5 months ago](https://wordpress.org/support/topic/java-object-deserialization/#post-16286531) * That’s what I thought also, I looked over the code and don’t see any calls to deserialize() to even run. The client keeps wanting an answer and I’m completely stumped on this one. As far as I know even if you deserialize a java object then it would not even run, but I’m not sure if you can serialize some JS and if it would run on the front end, but I don’t have any reason to think this would be happening either. Viewing 2 replies - 1 through 2 (of 2 total) The topic ‘Java Object Deserialization’ is closed to new replies. * ![](https://ps.w.org/contact-form-7/assets/icon.svg?rev=2339255) * [Contact Form 7](https://wordpress.org/plugins/contact-form-7/) * [Frequently Asked Questions](https://wordpress.org/plugins/contact-form-7/#faq) * [Support Threads](https://wordpress.org/support/plugin/contact-form-7/) * [Active Topics](https://wordpress.org/support/plugin/contact-form-7/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/contact-form-7/unresolved/) * [Reviews](https://wordpress.org/support/plugin/contact-form-7/reviews/) * 2 replies * 2 participants * Last reply from: [cdavisgf](https://wordpress.org/support/users/cdavisgf/) * Last activity: [3 years, 5 months ago](https://wordpress.org/support/topic/java-object-deserialization/#post-16286531) * Status: resolved