Cyber Security

High-Severity RCE Vulnerability Reported in Popular Fastjson Library

Cybersecurity researchers have detailed a recently patched high-severity security vulnerability in the popular Fastjson library that could be potentially exploited to achieve remote code execution.

Tracked as CVE-2022-25845 (CVSS score: 8.1), the issue relates to a case of deserialization of untrusted data in a supported feature called “AutoType.” It was patched by the project maintainers in version 1.2.83 released on May 23, 2022.


“This vulnerability affects all Java applications that rely on Fastjson versions 1.2.80 or earlier and that pass user-controlled data to either the JSON.parse or JSON.parseObject APIs without specifying a specific class to deserialize,” JFrog’s Uriya Yavnieli said in a write-up.

Fastjson is a Java library that’s used to convert Java Objects into their JSON representation and vice versa. AutoType, the function vulnerable to the flaw, is enabled by default and is designed to specify a custom type when parsing a JSON input that can then be deserialized into an object of the appropriate class.

“However, if the deserialized JSON is user-controlled, parsing it with AutoType enabled can lead to a deserialization security issue, since the attacker can instantiate any class that’s available on the Classpath, and feed its constructor with arbitrary arguments,” Yavnieli explained.


While the project owners previously introduced a safeMode that disables AutoType and started maintaining a blocklist of classes to defend against deserialization flaws, the newly discovered flaw gets around the latter of these restrictions to result in remote code execution.

Users of Fastjson are recommended to update to version 1.2.83 or enable safeMode, which turns off the function regardless of the allowlist and blocklist used, effectively closing variants of the deserialization attack.

“Although a public PoC exploit exists and the potential impact is very high (remote code execution) the conditions for the attack are not trivial (passing untrusted input to specific vulnerable APIs) and most importantly — target-specific research is required to find a suitable gadget class to exploit,” Yavnieli said.

Products You May Like

Articles You May Like

New ToddyCat Hacker Group on Experts’ Radar After Targeting MS Exchange Servers
Apple AirPods Pro (2nd Generation) Will Feature Hearing Aid Function, Heart Rate Detection: Report
Google, NBCUniversal Lead Bid for Netflix’s Ad-Supported Subscription Plan Tie-Up: Report
Crypto lending firm Celsius asks users for more time to fix issues after halting withdrawals
India’s GSAT-24 Satellite Launched Onboard Ariane 5 Rocket, Entire Capacity Leased to Tata Play

Leave a Reply

Your email address will not be published.