Description
Zed Attack Proxy (ZAP) ViewState add-on before version 4 contains an insecure deserialization vulnerability that allows attackers who control a proxied web server to achieve arbitrary code execution by embedding a malicious serialized Java object in the javax.faces.ViewState HTTP response parameter. The JSFViewState.decode() method base64-decodes the ViewState value and passes it directly to ObjectInputStream.readObject() without a deserialization filter, allowlist, or type restriction, causing the malicious object to be deserialized within the ZAP JVM when the Desktop UI renders the ViewState panel.
CVSS breakdown
CVSS 4.0
Attack Vector
Network
Attack Complexity
Low
Attack Requirements
None
Privileges Required
None
User Interaction
Passive
Confidentiality (Vulnerable System)
High
Integrity (Vulnerable System)
High
Availability (Vulnerable System)
High
Confidentiality (Subsequent System)
None
Integrity (Subsequent System)
None
Availability (Subsequent System)
None
CVSS 3.1
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Affected products
References
- MISChttps://www.zaproxy.org/blog/2026-06-24-java-deserialization-vulnerability-in-zap-viewstate-addon/
- PATCHhttps://github.com/zaproxy/zap-extensions/releases/tag/viewstate-v4
- PATCHhttps://github.com/zaproxy/zap-extensions/pull/7481
- PATCHhttps://github.com/zaproxy/zap-extensions/commit/ac6c3f94d38505bc0facea286a4d3728044c6e5c
- VENDOR_ADVISORYhttps://www.vulncheck.com/advisories/zap-viewstate-add-on-insecure-deserialization-via-jsfviewstate-decode