GHSA-q4rf-3fhx-88pf
HIGHYAML deserialization can run untrusted code
EPSS Exploitation Probability
EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.
Blast Radius
org.rundeck:rundeck-core☕org.rundeck:rundeck-coreReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects Maven packages — download data is not available via public APIs for these ecosystems.
Description
Impact
An authorized user can upload a zip-format plugin with a crafted plugin.yaml, or a crafted aclpolicy yaml file, or upload an untrusted project archive with a crafted aclpolicy yaml file, that can cause the server to run untrusted code on Rundeck Community or Enterprise Edition. An authenticated user can make a POST request, that can cause the server to run untrusted code on Rundeck Enterprise Edition.
The zip-format plugin issues requires authentication and authorization to these access levels, and affects all Rundeck editions:
adminlevel access to thesystemresource type
The ACL Policy yaml file upload issues requires authentication and authorization to these access levels, and affects all Rundeck editions:
createupdateoradminlevel access to aproject_aclresourcecreateupdateoradminlevel access to thesystem_aclresource
The unauthorized POST request requires authentication, but no specific authorization, and affects Rundeck Enterprise only.
Patches
Versions 3.4.3, 3.3.14
Workarounds
Please visit https://rundeck.com/security for information about specific workarounds.
For more information
If you have any questions or comments about this advisory:
- Email us at [email protected]
To report security issues to Rundeck please use the form at https://rundeck.com/security
Reporter: Rojan Rijal from Tinder Red Team
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| ☕Maven | org.rundeck:rundeck-core | ≥ 3.4.0&&< 3.4.3 | 3.4.3 |
| ☕Maven | org.rundeck:rundeck-core | all versions | 3.3.14 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for org.rundeck:rundeck-core. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update org.rundeck:rundeck-core to 3.4.3 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-q4rf-3fhx-88pf is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-q4rf-3fhx-88pf is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-q4rf-3fhx-88pf. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-q4rf-3fhx-88pf in your dependencies?
O3 detects GHSA-q4rf-3fhx-88pf across Maven dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.