cbcvebase.
CVE-2022-25845
published 2022-06-10

CVE-2022-25845: The package com.alibaba:fastjson before 1.2.83 are vulnerable to Deserialization of Untrusted Data by bypassing the default autoType shutdown restrictions…

PriorityP265critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
17.77%
96.8th percentile
The package com.alibaba:fastjson before 1.2.83 are vulnerable to Deserialization of Untrusted Data by bypassing the default autoType shutdown restrictions, which is possible under certain conditions. Exploiting this vulnerability allows attacking remote servers. Workaround: If upgrading is not possible, you can enable [safeMode](https://github.com/alibaba/fastjson/wiki/fastjson_safemode).

Affected

2 ranges
VendorProductVersion rangeFixed in
alibabafastjson< 1.2.831.2.83
oraclecommunications_cloud_native_core_unified_data_repository

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerable versions of com.alibaba:fastjson are those before 1.2.83; detect use of these versions in Java classpaths or dependency manifests as a risk indicator for CVE-2022-25845
  • The attack vector is HTTP-based remote exploitation; monitor HTTP traffic for JSON payloads containing @type keys with Java class names, which is the mechanism used to trigger autoType deserialization
  • Inspect inbound JSON documents for @type fields referencing arbitrary Java class names; this is the trigger pattern for autoType bypass deserialization attacks in fastjson
  • Check whether fastjson safeMode is disabled in application configuration; safeMode completely disables autoType and eliminates the vulnerability — its absence is a detection/hardening gap indicator
  • ·The autoType bypass is only exploitable 'under certain conditions' — not all deployments using fastjson < 1.2.83 are equally exposed; context-specific configuration (e.g., safeMode already enabled) may reduce risk
  • ·CVE-2022-25845 is a bypass of the fix for CVE-2017-18349; environments that believed they were protected by the earlier patch may still be vulnerable if running fastjson < 1.2.83
  • ·Red Hat products are assessed as Not Affected or Out of Support Scope for this CVE; detections targeting Red Hat-packaged fastjson deployments may produce false positives
  • ·Oracle Communications UDR is confirmed affected via HTTP with a CVSS score of 9.8; network-level detections should prioritise HTTP traffic to Oracle Communications UDR deployments

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
ghsa9.8CRITICAL
osv9.8CRITICAL
vulncheck9.8CRITICAL
vendor_oracle9.8HIGH
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.