Impact of CVE-2022-25647

[Neeraj Kumar]

Hi experts,

I am looking forward to understanding the real impact of the CVE-2022-25647 which is applicable to "gson" - one of the dependency components of closure-compiler.

Apparently, the gson versions before 2.8.9, are vulnerable to the Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to DoS attacks.

However, I do not see any explicit usage of writeReplace in closure-compiler source code. 

Considering that, is it safe to say closure-compiler-v20161024 or any release that is packing gson version before 2.8.9 are not impacted by the mentioned CVE?

Thanks,

Neeraj

Reference:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25647

[Bradford Smith]

I'm afraid that closure-compiler-v20161024 is so old that I don't think I or anyone else on the closure-compiler team would be willing to make any guarantees about it at all.

That being said, I can safely say the following:

In 2016 closure-compiler never did any deserialization of Java classes using gson or anything else, so it would not be subject to this vulnerability.

It is now possible for closure-compiler to save the compilation state part way through, then restore that state and continue later.

That process originally used built-in Java serialization for everything.

It currently uses Google protocol buffers for the Abstract Syntax Tree (the JS code being compiled) and Java built-in serialization only for the compiler's options and other internal state.

At no point did it ever use Gson to do any of this serialization or deserialization,

so no version of closure-compiler should be subject to this vulnerability.

Best regards,

Bradford