Brodmart

**Name of the Vulnerable Software and Affected Versions** Hyperledger Fabric versions 1.0.0 through 2.2.26 **Description** In the deprecated `fabric-sdk-java` client SDK, the `Channel.java` file implements `readObject()` and exposes the `deSerializeChannel()` function, both of which call `ObjectInputStream.readObject()` on untrusted byte arrays without configuring an `ObjectInputFilter`. This creates a Java deserialization issue where an attacker who can supply crafted serialized Channel bytes—such as by compromising a local channel file or injecting data through an application—can achieve remote code execution (RCE) via gadget chain exploitation. This is a client-side issue and does not involve data transmitted from Fabric peers. **Recommendations** Migrate to `org.hyperledger.fabric:fabric-gateway`, which does not use Java serialization. As a temporary workaround for the deprecated SDK, add an `ObjectInputFilter` to whitelist only expected classes within the `deSerializeChannel()` function.