← back
CVE-2022-25845

Deserialization of Untrusted Data

CVSS 8.1 HIGHEPSS 17.8%
The package com.alibaba:fastjson before 1.2.83 are vulnerable to Deserialization of Untrusted Data by bypassing the default autoType shutdown restrictions, which is possible under certain conditions. Exploiting this vulnerability allows attacking remote servers. Workaround: If upgrading is not possible, you can enable [safeMode](https://github.com/alibaba/fastjson/wiki/fastjson_safemode).
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P
Affected products
n/a · com.alibaba:fastjson

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/alibaba/fastjson/commit/35db4adad70c32089542f23c272def1ad920a60dhttps://github.com/alibaba/fastjson/commit/8f3410f81cbd437f7c459f8868445d50ad301f15https://github.com/alibaba/fastjson/releases/tag/1.2.83https://github.com/alibaba/fastjson/wiki/security_update_20220523https://snyk.io/vuln/SNYK-JAVA-COMALIBABA-2859222https://www.ddosi.org/fastjson-poc/https://www.oracle.com/security-alerts/cpujul2022.html