GHSA-XW5C-JC7X-GF75 PAC4J has a Cross-Site Request Forgery (CSRF) Vulnerability

PAC4J is vulnerable to Cross-Site Request Forgery CSRF. A malicious attacker can craft a specially designed website which, when visited by a user, will automatically submit a forged cross-site request with a token whose hash collides with the victim's legitimate CSRF token. Importantly, the...

com.efluid.oss:efluid-datagate-app (>=3.1.3 <=6.1.5), com.efluid.oss:efluid-datagate-app-cucumber (>=3.1.3 <=6.1.5) +5 more potentially affected by CVE-2026-29000 via org.pac4j:pac4j-jwt (>=5.0.1 <=5.7.8)

org.pac4j:pac4j-jwt MAVEN version =5.0.1, =3.1.3, =3.1.3, =0.8.0, =0.8.0, =2.0.6, =2.2.1, =2.0.6, =2.1.0 Source cves: CVE-2026-29000 Source advisory: SNYK:JAVA-ORGPAC4J-15428218...

CVE-2023-25558

DataHub is an open-source metadata platform. When the DataHub frontend is configured to authenticate via SSO, it will leverage the pac4j library. The processing of the idtoken is done in an unsafe manner which is not properly accounted for by the DataHub frontend. Specifically, if any of the...

PT-2025-13818 · Jooby +1 · Jooby +1

Name of the Vulnerable Software and Affected Versions: Jooby versions prior to 2.17.0 Jooby versions prior to 3.7.0 Description: The issue concerns the deserialization of untrusted data by the SessionStoreImplget module in the pac4j library of the Jooby web framework for Java and Kotlin...

CVE-2023-25558

CVE-2023-25558 affects the DataHub open-source metadata platform. When the DataHub frontend uses SSO, it relies on the pac4j library to process id_token claims. If a claim begins with the {#sb64} prefix, pac4j may deserialize it as a Java object, enabling potential Remote Code Execution (RCE). A ...

CVE-2023-25558 Deserialization of untrusted data in DataHub

DataHub is an open-source metadata platform. When the DataHub frontend is configured to authenticate via SSO, it will leverage the pac4j library. The processing of the idtoken is done in an unsafe manner which is not properly accounted for by the DataHub frontend. Specifically, if any of the...

Insecure Randomness

Overview org.pac4j:pac4j-saml is an is PAC4J package for the SAML Protocol. Affected versions of this package are vulnerable to Insecure Randomness. A insecure source of randomness is used to generate all of its random values as it relies upon apache commons lang3 RandomStringUtils. This SAML...