how to fix CVE-2024-22399 #7552

anic · 2025-07-21T03:08:55Z

anic
Jul 21, 2025

It seems that there is a hessian serialization Vulnerabilities in seata :
https://avd.aliyun.com/detail?id=AVD-2024-22399&timestamp__1384=Gqmx9D2D0DciitGkDlEIAYqQwR7zYNPFY4D
http://www.openwall.com/lists/oss-security/2024/09/11/2
https://lists.apache.org/thread/91nzzlxyj4nmks85gbzwkkjtbmnmlkc4

however we are using low version of seata (eg. seata 1.4.2), it's not easy to upgrade to version 1.8.1 which means a lot of tests should do. We wonder if there are any solution of configuration to fix CVE-2024-22399 ? For example to disable hessian and to use kyro as serialization

Answered by funky-eyes

Aug 28, 2025

You can remove the related dependencies directly from the 1.4.2 server, as long as you ensure Kryo and Hessian serialization are not used.

View full answer

funky-eyes · 2025-08-28T01:48:40Z

funky-eyes
Aug 28, 2025
Collaborator

You can remove the related dependencies directly from the 1.4.2 server, as long as you ensure Kryo and Hessian serialization are not used.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

how to fix CVE-2024-22399 #7552

Uh oh!

{{title}}

Uh oh!

Replies: 1 comment

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

how to fix CVE-2024-22399 #7552

Uh oh!

anic Jul 21, 2025

Replies: 1 comment

Uh oh!

funky-eyes Aug 28, 2025 Collaborator

anic
Jul 21, 2025

funky-eyes
Aug 28, 2025
Collaborator