PatchSiren

PatchSiren cyber security CVE debrief

CVE-2022-25647 Google CVE debrief

CVE-2022-25647 is a deserialization vulnerability in Gson versions before 2.8.9. According to NVD, the issue is tied to untrusted data handling in internal classes via writeReplace(), and it can lead to denial-of-service conditions. The vulnerability is rated HIGH (CVSS 7.7) and is most relevant anywhere Gson is embedded directly or bundled into larger products. NVD also maps impacted downstream products, including Oracle GraalVM Enterprise builds and other vendor distributions that ship affected Gson versions.

Vendor
Google
Product
Gson
CVSS
HIGH 7.7
CISA KEV
Not listed in stored evidence
Original CVE published
2022-05-01
Original CVE updated
2024-11-21
Advisory published
2022-05-01
Advisory updated
2024-11-21

Who should care

Security and platform teams that ship or depend on Gson, especially if your application processes attacker-controlled input or you distribute a product that bundles Gson. Teams responsible for Oracle GraalVM Enterprise, Debian-based systems, NetApp products, or internal Java services should confirm whether an affected Gson version is present.

Technical summary

NVD describes CVE-2022-25647 as a CWE-502 deserialization of untrusted data issue affecting com.google.code.gson:gson before 2.8.9. The CVSS vector (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H) indicates network exposure without privileges or user interaction, but with higher attack complexity. The practical impact is denial of service, with NVD assigning high integrity and availability impact in its vector. Google’s patch work is referenced in the upstream pull request linked by NVD, and downstream advisories show vendors tracked fixes after the upstream update.

Defensive priority

High. The issue is widely distributed through the Java ecosystem and appears in multiple downstream products. Prioritize if Gson is reachable through network-facing services or if your product lines bundle third-party Java libraries.

Recommended defensive actions

  • Inventory all applications and appliances that include com.google.code.gson:gson.
  • Upgrade Gson to 2.8.9 or later, or move to a vendor-fixed release that bundles a safe Gson version.
  • Check downstream products listed by NVD if you consume Oracle GraalVM Enterprise, Debian packages, NetApp Active IQ Unified Manager, or related distributions.
  • Review deserialization entry points that accept untrusted input and confirm they are not relying on affected Gson behavior.
  • Validate build and dependency-management controls so vulnerable transitive Gson versions cannot be reintroduced.
  • Monitor vendor advisories and release notes for package-specific remediation guidance.

Evidence notes

Primary evidence comes from NVD’s CVE record, which identifies CWE-502, the affected version range for gson before 2.8.9, and impacted downstream CPEs. The official CVE record and NVD detail page confirm the vulnerability metadata and publication timing. Upstream remediation is referenced by the Google Gson pull request linked in the advisory set, while Debian and Oracle references show downstream handling of the issue.

Official resources

Publicly disclosed on 2022-05-01 per the CVE/NVD record; the NVD entry was later modified on 2024-11-21.