CRITICAL🇵🇱 Wersja polska

CVE-2025-70974

CVSS 10.0v3.1pub. 2026-01-09upd. 2026-06-27

Fastjson before 1.2.48 mishandles autoType because, when an @type key is in a JSON document, and the value of that key is the name of a Java class, there may be calls to certain public methods of that class. Depending on the behavior of those methods, there may be JNDI injection with an attacker-supplied payload located elsewhere in that JSON document. This was exploited in the wild in 2023 through 2025. NOTE: this issue exists because of an incomplete fix for CVE-2017-18349. Also, a later bypass is covered by CVE-2022-25845.

🤖 AI Analysis
How it works

When a JSON document contains a @type key, Fastjson reads its value as a Java class name and invokes public methods of that class. An attacker can place a malicious payload in the JSON document, which through the JNDI (Java Naming and Directory Interface) mechanism causes a connection to be established to a server controlled by the attacker and loads remote code. The vulnerability is a result of an incomplete fix for the earlier CVE-2017-18349 bug, and its later bypass variant is described in CVE-2022-25845.

Impact

A successful attack enables remote code execution (RCE) on the server processing JSON data, without requiring privileges or user interaction. An attacker can gain full control over the vulnerable system, including breach of confidentiality, integrity, and availability of data.

Mitigation & patch

The Fastjson library must be immediately updated to version 1.2.48 or later. Details of changes are available in the vendor's references (GitHub: alibaba/fastjson, comparison of versions 1.2.47 → 1.2.48). It is also recommended to verify that the environment is not using versions vulnerable to the related bypass described in CVE-2022-25845, which may require updating to an even newer version.

Who is affected

Alibaba Fastjson library in all versions before 1.2.48. It affects any Java application processing JSON data using this library with the autoType mechanism enabled.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References