CVE-2022-25845
published 2022-06-10CVE-2022-25845: The package com.alibaba:fastjson before 1.2.83 are vulnerable to Deserialization of Untrusted Data by bypassing the default autoType shutdown restrictions…
PriorityP265critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
17.77%
96.8th percentile
The package com.alibaba:fastjson before 1.2.83 are vulnerable to Deserialization of Untrusted Data by bypassing the default autoType shutdown restrictions, which is possible under certain conditions. Exploiting this vulnerability allows attacking remote servers. Workaround: If upgrading is not possible, you can enable [safeMode](https://github.com/alibaba/fastjson/wiki/fastjson_safemode).
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| alibaba | fastjson | < 1.2.83 | 1.2.83 |
| oracle | communications_cloud_native_core_unified_data_repository | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerable versions of com.alibaba:fastjson are those before 1.2.83; detect use of these versions in Java classpaths or dependency manifests as a risk indicator for CVE-2022-25845 ↗
- →The attack vector is HTTP-based remote exploitation; monitor HTTP traffic for JSON payloads containing @type keys with Java class names, which is the mechanism used to trigger autoType deserialization ↗
- →Inspect inbound JSON documents for @type fields referencing arbitrary Java class names; this is the trigger pattern for autoType bypass deserialization attacks in fastjson ↗
- →Check whether fastjson safeMode is disabled in application configuration; safeMode completely disables autoType and eliminates the vulnerability — its absence is a detection/hardening gap indicator ↗
- ·The autoType bypass is only exploitable 'under certain conditions' — not all deployments using fastjson < 1.2.83 are equally exposed; context-specific configuration (e.g., safeMode already enabled) may reduce risk ↗
- ·CVE-2022-25845 is a bypass of the fix for CVE-2017-18349; environments that believed they were protected by the earlier patch may still be vulnerable if running fastjson < 1.2.83 ↗
- ·Red Hat products are assessed as Not Affected or Out of Support Scope for this CVE; detections targeting Red Hat-packaged fastjson deployments may produce false positives ↗
- ·Oracle Communications UDR is confirmed affected via HTTP with a CVSS score of 9.8; network-level detections should prioritise HTTP traffic to Oracle Communications UDR deployments ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
ghsa9.8CRITICAL
osv9.8CRITICAL
vulncheck9.8CRITICAL
vendor_oracle9.8HIGH
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
fastjson: Fastjson: Remote Code Execution via JNDI Injection due to autoType mishandling
vendor_redhat·2026-01-09·CVSS 9.8
CVE-2025-70974 [CRITICAL] CWE-829 fastjson: Fastjson: Remote Code Execution via JNDI Injection due to autoType mishandling
fastjson: Fastjson: Remote Code Execution via JNDI Injection due to autoType mishandling
Fastjson before 1.2.48 mishandles autoType because, when an @type key is in a JSON document, and the value of that key is the name of a Java class, there may be calls to certain public methods of that class. Depending on the behavior of those methods, there may be JNDI injection with an attacker-supplied payload located elsewhere in that JSON document. This was exploited in the wild in 2023 through 2025. NOTE: this issue exists because of an incomplete fix for CVE-2017-18349. Also, a later bypass is covered by CVE-2022-25845.
A flaw was found in Fastjson, a popular Java library for converting Java objects to JSON and vice versa. This vulnerability allows a remote attacker to execute arbitrary code on
Oracle
Oracle Oracle Communications Risk Matrix: UDR (fastjson) — CVE-2022-25845
vendor_oracle·2022-07-15·CVSS 9.8
CVE-2022-25845 [HIGH] Oracle Oracle Communications Risk Matrix: UDR (fastjson) — CVE-2022-25845
Oracle Oracle Communications Risk Matrix: UDR (fastjson) vulnerability
CVE: CVE-2022-25845
CVSS: 9.8
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpujul2022 (JUL 2022)
Red Hat
fastjson: autoType shutdown restriction bypass leads to deserialization
vendor_redhat·2022-06-10·CVSS 8.1
CVE-2022-25845 [HIGH] CWE-502 fastjson: autoType shutdown restriction bypass leads to deserialization
fastjson: autoType shutdown restriction bypass leads to deserialization
The package com.alibaba:fastjson before 1.2.83 are vulnerable to Deserialization of Untrusted Data by bypassing the default autoType shutdown restrictions, which is possible under certain conditions. Exploiting this vulnerability allows attacking remote servers. Workaround: If upgrading is not possible, you can enable [safeMode](https://github.com/alibaba/fastjson/wiki/fastjson_safemode).
A flaw was found in com.alibaba:fastjson, a fast JSON parser/generator for Java. Affected versions of this package are vulnerable to Deserialization of Untrusted Data by bypassing the default autoType shutdown restrictions, which is possible under certain conditions.
Mitigation: Users who can not upgrade to the fixed version may en
OSV
FASTJSON Includes Functionality from Untrusted Control Sphere
osv·2026-01-09·CVSS 9.8
CVE-2025-70974 [CRITICAL] FASTJSON Includes Functionality from Untrusted Control Sphere
FASTJSON Includes Functionality from Untrusted Control Sphere
Fastjson before 1.2.48 mishandles autoType because, when an `@type` key is in a JSON document, and the value of that key is the name of a Java class, there may be calls to certain public methods of that class. Depending on the behavior of those methods, there may be JNDI injection with an attacker-supplied payload located elsewhere in that JSON document. This was exploited in the wild in 2023 through 2025. NOTE: this issue exists because of an incomplete fix for CVE-2017-18349. Also, a later bypass is covered by CVE-2022-25845.
GHSA
FASTJSON Includes Functionality from Untrusted Control Sphere
ghsa·2026-01-09·CVSS 9.8
CVE-2025-70974 [CRITICAL] CWE-829 FASTJSON Includes Functionality from Untrusted Control Sphere
FASTJSON Includes Functionality from Untrusted Control Sphere
Fastjson before 1.2.48 mishandles autoType because, when an `@type` key is in a JSON document, and the value of that key is the name of a Java class, there may be calls to certain public methods of that class. Depending on the behavior of those methods, there may be JNDI injection with an attacker-supplied payload located elsewhere in that JSON document. This was exploited in the wild in 2023 through 2025. NOTE: this issue exists because of an incomplete fix for CVE-2017-18349. Also, a later bypass is covered by CVE-2022-25845.
VulnCheck
alibaba fastjson Inclusion of Functionality from Untrusted Control Sphere
vulncheck·2025·CVSS 9.8
CVE-2025-70974 [CRITICAL] alibaba fastjson Inclusion of Functionality from Untrusted Control Sphere
alibaba fastjson Inclusion of Functionality from Untrusted Control Sphere
Fastjson before 1.2.48 mishandles autoType because, when an @type key is in a JSON document, and the value of that key is the name of a Java class, there may be calls to certain public methods of that class. Depending on the behavior of those methods, there may be JNDI injection with an attacker-supplied payload located elsewhere in that JSON document. This was exploited in the wild in 2023 through 2025. NOTE: this issue exists because of an incomplete fix for CVE-2017-18349. Also, a later bypass is covered by CVE-2022-25845.
Affected: alibaba fastjson
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploit
GHSA
Unsafe deserialization in com.alibaba:fastjson
ghsa·2022-06-11
CVE-2022-25845 [HIGH] CWE-502 Unsafe deserialization in com.alibaba:fastjson
Unsafe deserialization in com.alibaba:fastjson
The package com.alibaba:fastjson before 1.2.83 is vulnerable to Deserialization of Untrusted Data by bypassing the default autoType shutdown restrictions, which is possible under certain conditions. Exploiting this vulnerability allows attacking remote servers. Workaround: If upgrading is not possible, you can enable [safeMode](https://github.com/alibaba/fastjson/wiki/fastjson_safemode).
OSV
Unsafe deserialization in com.alibaba:fastjson
osv·2022-06-11
CVE-2022-25845 [HIGH] Unsafe deserialization in com.alibaba:fastjson
Unsafe deserialization in com.alibaba:fastjson
The package com.alibaba:fastjson before 1.2.83 is vulnerable to Deserialization of Untrusted Data by bypassing the default autoType shutdown restrictions, which is possible under certain conditions. Exploiting this vulnerability allows attacking remote servers. Workaround: If upgrading is not possible, you can enable [safeMode](https://github.com/alibaba/fastjson/wiki/fastjson_safemode).
No detection rules found.
No public exploits indexed.
Wiz
CVE-2025-70974 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-70974 [CRITICAL] CVE-2025-70974 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-70974 :
Java vulnerability analysis and mitigation
Fastjson before 1.2.48 mishandles autoType because, when an @type key is in a JSON document, and the value of that key is the name of a Java class, there may be calls to certain public methods of that class. Depending on the behavior of those methods, there may be JNDI injection with an attacker-supplied payload located elsewhere in that JSON document. This was exploited in the wild in 2023 through 2025. NOTE: this issue exists because of an incomplete fix for CVE-2017-18349. Also, a later bypass is covered by CVE-2022-25845.
Source : NVD
## 10
Score
Published January 9, 2026
Severity CRITICAL
CNA Score 10.0
Affected Technologies
Java
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA
arXiv
A Large-scale Empirical Study on the Generalizability of Disclosed Java Library Vulnerability Exploits
arxiv_fulltext·2026-03
A Large-scale Empirical Study on the Generalizability of Disclosed Java Library Vulnerability Exploits
## Abstract
Open-source software supply chain security relies heavily on assessing affected versions of library vulnerabilities. While prior studies have leveraged exploits for verifying vulnerability affected versions, they point out a key limitation that exploits are version-specific and cannot be directly applied across library versions. Despite being widely acknowledged, this limitation has not been systematically validated at scale, leaving the actual applicability of exploits across versions unexplored. To fill this gap, we conduct the first large-scale empirical study on exploit applicability across library versions. We construct a comprehensive dataset consisting of 259 exploits spanning 128 Java libraries and 28,150 historical versions, covering 61 CWEs that account for 76.33% of
arXiv
Does the Vulnerability Threaten Our Projects? Automated Vulnerable API Detection for Third-Party Libraries
arxiv_fulltext·2024-09-04
Does the Vulnerability Threaten Our Projects? Automated Vulnerable API Detection for Third-Party Libraries
Does the Vulnerability Threaten Our Projects? Automated Vulnerable API Detection for Third-Party Libraries
Fangyuan Zhang,
Lingling Fan*,
Sen Chen,
Miaoying Cai,
Sihan Xu,
and Lida Zhao
Fangyuan Zhang and Miaoying Cai are with DISSec, NDST, College of Computer Science, Nankai University, China. Emails: \fangyuanzhang, miaoyingcai\@mail.nankai.edu.cn.
Lingling Fan (Corresponding author) and Sihan Xu are with DISSec, NDST, College of Cyber Science, Nankai University, China. Emails: \linglingfan, xusihan\@nankai.edu.cn.
Sen Chen is with the College of Intelligence and Computing, Tianjin University, China. Email: [email protected].
Lida Zhao is with School of Computer Science and Engineering, Nanyang Technological University. Email: [email protected].
Journal of \ Class Files, Vol. XX,
arXiv
How well does LLM generate security tests?
arxiv_fulltext·2023-10-03
How well does LLM generate security tests?
How well does LLM generate security tests?
## Abstract
Developers often build software on top of third-party libraries (Libs) to improve programmer productivity and software quality. The libraries may contain vulnerabilities exploitable by hackers to attack the applications (Apps) built on top of them. People refer to such attacks as supply chain attacks, the documented number of which has increased 742% in 2022. People created tools to mitigate such attacks, by scanning the library dependencies of Apps, identifying the usage of vulnerable library versions, and suggesting secure alternatives to vulnerable dependencies. However, recent studies show that many developers do not trust the reports by these tools; they ask for code or evidence to demonstrate how library vulnerabilities lead to
https://github.com/alibaba/fastjson/commit/35db4adad70c32089542f23c272def1ad920a60dhttps://github.com/alibaba/fastjson/commit/8f3410f81cbd437f7c459f8868445d50ad301f15https://github.com/alibaba/fastjson/releases/tag/1.2.83https://github.com/alibaba/fastjson/wiki/security_update_20220523https://snyk.io/vuln/SNYK-JAVA-COMALIBABA-2859222https://www.ddosi.org/fastjson-poc/https://www.oracle.com/security-alerts/cpujul2022.htmlhttps://github.com/alibaba/fastjson/commit/35db4adad70c32089542f23c272def1ad920a60dhttps://github.com/alibaba/fastjson/commit/8f3410f81cbd437f7c459f8868445d50ad301f15https://github.com/alibaba/fastjson/releases/tag/1.2.83https://github.com/alibaba/fastjson/wiki/security_update_20220523https://snyk.io/vuln/SNYK-JAVA-COMALIBABA-2859222https://www.ddosi.org/fastjson-poc/https://www.oracle.com/security-alerts/cpujul2022.html
2022-06-10
Published