Main Vulnerability Database Vulnerabilities #VU125041

Deserialization of Untrusted Data in emissary - CVE-2021-32634

Published: May 21, 2021 / Updated: April 7, 2026

Vulnerability identifier: #VU125041

CSH Severity: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2021-32634

CWE-ID: CWE-502

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
emissary

Software vendor:
National Security Agency

Description

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to deserialization of untrusted data in the WorkSpaceClientEnqueue.action REST endpoint when processing post-authenticated requests. A remote privileged user can send a specially crafted serialized request to execute arbitrary code.

Since version 6.3.0, the endpoint is protected against CSRF attacks, which reduces the impact of the vulnerability.

Remediation

Install security update from vendor's website.

External links

https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-m5qf-gfmp-7638

Deserialization of Untrusted Data in emissary - CVE-2021-32634

Description

Remediation

External links

Please verify you're human