An attacker can use SnakeYAML to deserialize java.net.URLClassLoader and make it load a JAR from a specified URL, and then deserialize javax.script.ScriptEngineManager to load code using that ClassLoader. This unbounded deserialization can likely lead to remote code execution. The code can be run in Helix REST start and Workflow creation.

Affect all the versions lower and include 1.2.0.

Affected products: helix-core, helix-rest

Mitigation: Short term, stop using any YAML based configuration and workflow creation.
Long term, all Helix version bumping up to 1.3.0

Affected Packages

Maven org.apache.helix:helix-core

Affected versions: 0 (fixed in 1.3.0)

Maven org.apache.helix:helix-rest

Affected versions: 0 (fixed in 1.3.0)

Related CVEs

CVE-2023-38647

Key Information

GHSA ID

GHSA-jhcr-hph9-g7wm

Published

July 26, 2023 9:30 AM

Last Modified

October 2, 2024 9:40 PM

CVSS Score

9.0 /10

Primary Ecosystem

Maven

Primary Package

org.apache.helix:helix-core

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 27, 2025 6:35 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.