DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-27206: The Zumba Class Dance: RCE via PHP Object Injection in json-serializer

#security #cve #cybersecurity

The Zumba Class Dance: RCE via PHP Object Injection in json-serializer

Vulnerability ID: CVE-2026-27206
CVSS Score: 8.1
Published: 2026-02-19

A high-severity PHP Object Injection vulnerability exists in the Zumba Json Serializer library. By trusting user-controlled type hints in JSON payloads, the library allows attackers to instantiate arbitrary classes, leading to Remote Code Execution (RCE) via magic method gadget chains. While a patch exists, it requires manual configuration to be effective.

TL;DR

Zumba Json Serializer <= 3.2.2 blindly trusts the @type field in JSON input, allowing attackers to instantiate any PHP class. If a 'gadget' class exists in the application, this leads to RCE. The fix in 3.2.3 introduces an allowlist, but it defaults to 'allow all' for backward compatibility, leaving updated applications vulnerable unless explicitly configured.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-502
  • CVSS Score: 8.1 (High)
  • Attack Vector: Network
  • Impact: Remote Code Execution (RCE)
  • Exploit Status: Proof of Concept (PoC) Available
  • Vulnerability Type: PHP Object Injection

Affected Systems

  • PHP Applications using zumba/json-serializer < 3.2.3
  • json-serializer: < 3.2.3 (Fixed in: 3.2.3)

Code Analysis

Commit: bf26227

Introduced setAllowedClasses method to filter deserialization.

+ if ($this->allowedClasses !== null && !in_array($className, $this->allowedClasses, true))
Enter fullscreen mode Exit fullscreen mode

Exploit Details

Mitigation Strategies

  • Upgrade to version 3.2.3 immediately.
  • Implement a strict allowlist of classes using setAllowedClasses().
  • Switch to native json_decode if object hydration is not strictly required.
  • Audit application dependencies for known gadget chains (e.g., PHPGGC).

Remediation Steps:

  1. Run composer require zumba/json-serializer:^3.2.3.
  2. Search codebase for all instantiations of new JsonSerializer().
  3. Add $serializer->setAllowedClasses([...]) immediately after instantiation.
  4. Test serialization flows to ensure legitimate classes are not blocked.

References

Read the full report for CVE-2026-27206 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)