Cast Attack: ghost bits in Java as a new class of parser differential attacks

☕ Cast Attack: ghost bits in Java as a new class of parser differential attacks

At Black Hat Asia 2026, researchers identified a systemic pattern in the Java ecosystem: operations such as (byte) ch, ch & 0xff, and OutputStream.write(int) implicitly cast a 16-bit char to a byte, discarding the upper 8 bits. The authors termed this phenomenon ghost bits and identified over 8,000 occurrences through static analysis.

This leads to a new type of parser differential: a WAF or frontend processes a valid Unicode string, while a downstream component, after bit truncation, interprets it as ASCII with different semantics. A canonical example: 陪 (U+966A) becomes 0x6A (j), so the path 1.陪 sp is stored as 1.jsp, bypassing extension-based filtering.

Confirmed impact includes Tomcat, Spring (CVE-2025-41242), Jetty, Apache HttpClient, JDK HttpServer (CVE-2026-21933), Jackson, fastjson, and other components. One of the most critical vectors is SMTP injection in Eclipse Angus Mail (CVE-2025-7962). Since Angus Mail is widely used as a transitive dependency, the issue propagated to Confluence, Jira, Bitbucket, Keycloak, and TeamCity (CVE-2025-57733). In Jira, this allows abuse of the corporate mail backend to send phishing emails with valid SPF, DKIM, and DMARC signatures.

📎 Ghost‑Bits‑Scanner: https://github.com/GeetoRinku/Ghost-Bits-Scanner

💬 Discuss