CVE-2023-41331: SOFARPC is a Java RPC framework. Versions prior to 5.11.0 are vulnerable to remote command execution. Through a carefully crafted payload, an attacker...

Description

SOFARPC is a Java RPC framework. Versions prior to 5.11.0 are vulnerable to remote command execution. Through a carefully crafted payload, an attacker can achieve JNDI injection or system command execution. In the default configuration of the SOFARPC framework, a blacklist is used to filter out dangerous classes encountered during the deserialization process. However, the blacklist is not comprehensive, and an actor can exploit certain native JDK classes and common third-party packages to construct gadget chains capable of achieving JNDI injection or system command execution attacks. Version 5.11.0 contains a fix for this issue. As a workaround, users can add `-Drpc_serialize_blacklist_override=javax.sound.sampled.AudioFileFormat` to the blacklist.

Metrics

CVSS 3.1

9.8/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

1.34%

67.8th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-917

Affected Software

Vendor	Product	Versions
Sofastack	Sofarpc	< 5.11.0

References

https://github.com/sofastack/sofa-rpc/releases/tag/v5.11.0Release Notes
https://github.com/sofastack/sofa-rpc/security/advisories/GHSA-chv2-7hxj-2j86Mitigation, Vendor Advisory
https://github.com/sofastack/sofa-rpc/releases/tag/v5.11.0Release Notes
https://github.com/sofastack/sofa-rpc/security/advisories/GHSA-chv2-7hxj-2j86Mitigation, Vendor Advisory

Timeline

Published: Sep 12, 2023
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2023-41331?

SOFARPC is a Java RPC framework. Versions prior to 5.11.0 are vulnerable to remote command execution. Through a carefully crafted payload, an attacker can achieve JNDI injection or system command execution. In the default configuration of the SOFARPC framework, a blacklist is used to filter out dangerous classes encountered during the deserialization process. However, the blacklist is not comprehensive, and an actor can exploit certain native JDK classes and common third-party packages to construct gadget chains capable of achieving JNDI injection or system command execution attacks. Version 5.11.0 contains a fix for this issue. As a workaround, users can add `-Drpc_serialize_blacklist_override=javax.sound.sampled.AudioFileFormat` to the blacklist.

How severe is CVE-2023-41331?

CVE-2023-41331 has a CVSS score of 9.8/10 (CRITICAL severity). The EPSS model estimates a 1.34% probability of exploitation in the next 30 days.

How do I fix CVE-2023-41331?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.