QOS.CH Sarl logback logback-core has a deserialization of untrusted data vulnerability

Description

Deserialization of untrusted data vulnerability in QOS.CH Sarl logback logback-core (HardenedObjectInputStream (logback-core) modules) allows Object Injection albeit heavily restricted.

More precisely, an attacker able to influence serialized data sent to SimpleSocketServer or SimpleSSLSocketServer can instantiate objects from classes in the java.lang and java.util packages that are not explicitly blocked.

Although deserialization is heavily restricted by HardenedObjectInputStream and no practical way to achieve remote code execution or significant privilege escalation has been identified, this issue constitutes a bypass of the intended security restrictions.

This issue affects logback: through 1.5.32 inclusive.

Basic information

Type
reviewed
Severity
low
Advisory on GitHub
Open advisory ↗
Repository advisory
Source code
Browse source ↗
Published (advisory)
2026-05-28 15:39:50 UTC
Updated
2026-07-02 13:55:31 UTC
GitHub reviewed
2026-07-02 13:55:30 UTC
NVD published
2026-05-28

EPSS Score

Score Percentile
0.37% 28.62%

CVSS Scores

Base score Version Severity Vector
1.2 4.0
CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:P/RE:L/U:Green Click to expand
Attack vector (AV:L)
Attacker needs local access on the target system.
Attack complexity (AC:H)
Exploitation depends on constrained or hard-to-reproduce conditions.
Attack requirements (AT:P)
Additional preconditions must be present for exploitation.
Privileges required (PR:N)
No privileges are required.
User interaction (UI:N)
No user interaction is required.
Vulnerable system confidentiality impact (VC:L)
Limited confidentiality impact on the vulnerable system.
Vulnerable system integrity impact (VI:L)
Limited integrity impact on the vulnerable system.
Vulnerable system availability impact (VA:N)
No availability impact on the vulnerable system.
Subsequent system confidentiality impact (SC:L)
Limited confidentiality impact on subsequent systems.
Subsequent system integrity impact (SI:L)
Limited integrity impact on subsequent systems.
Subsequent system availability impact (SA:N)
No availability impact on subsequent systems.
Exploit maturity (threat) (E:P)
Proof-of-concept: public PoC exists; no reported exploitation and no known simplification tools.
Vulnerability response effort (supplemental) (RE:L)
Low/trivial response effort (documentation, simple configuration, low-touch guidance).
Provider urgency (supplemental) (U:GREEN)
Green: provider rates reduced urgency.

Identifiers

CWEs

CWE id Name
CWE-502 Deserialization of Untrusted Data

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
maven ch.qos.logback:logback-core <= 1.5.32 1.5.33

References

cvelogic Threat Intelligence