All advisories

Maliciously crafted HTTP request to Gradle Enterprise may allow remote code execution

Affected product(s)

  • Gradle Enterprise 2017.2 - 2021.1.2



Published at


Related CVE ID(s)


Gradle Enterprise stores application session data as client side cookies, after being encrypted and signed with randomly generated, installation specific, keys. This session data is deserialized to Java objects for a request.

An attacker who has obtained the encryption and signing keys could potentially craft a HTTP request that deserializes unsafe objects, leading to remote code execution. This is known as an “insecure deserialization” vulnerability, or “gadget vulnerability”.

As of Gradle Enterprise 2021.1.3, additional measures have been put in place that prevent such a crafted request from deserializing arbitrary unsafe objects.


Upgrade to Gradle Enterprise 2021.1.3.