cbcvebase.
CVE-2025-70974
published 2026-01-09

CVE-2025-70974: Fastjson before 1.2.48 mishandles autoType because, when an @type key is in a JSON document, and the value of that key is the name of a Java class, there may…

PriorityP181critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
0.69%
48.1th percentile
Fastjson before 1.2.48 mishandles autoType because, when an @type key is in a JSON document, and the value of that key is the name of a Java class, there may be calls to certain public methods of that class. Depending on the behavior of those methods, there may be JNDI injection with an attacker-supplied payload located elsewhere in that JSON document. This was exploited in the wild in 2023 through 2025. NOTE: this issue exists because of an incomplete fix for CVE-2017-18349. Also, a later bypass is covered by CVE-2022-25845.

Detection & IOCsextracted from sources · hover to see the quote

other@type key in JSON document used for JNDI injection payload delivery
  • Inspect incoming JSON documents for the presence of an `@type` key — this is the trigger for Fastjson's autoType feature and the entry point for exploitation.
  • Look for JNDI injection strings (e.g., ldap://, rmi://, dns://) appearing elsewhere in the same JSON document that also contains an `@type` key, as the attacker-supplied JNDI payload is placed in a separate field.
  • Flag or block use of Fastjson versions prior to 1.2.48 in your environment, as all such versions are vulnerable to this autoType mishandling leading to RCE.
  • Treat this as an actively exploited vulnerability; prioritize detection and response given confirmed in-the-wild exploitation spanning 2023 through 2025.
  • ·This CVE is an incomplete fix for CVE-2017-18349; environments that patched only for CVE-2017-18349 may still be vulnerable. A further bypass is separately tracked as CVE-2022-25845.
  • ·Red Hat has assessed all listed products (Red Hat build of Apache Camel for Spring Boot 4, Debezium 2/3, Red Hat Fuse 7, JBoss EAP 8, OpenShift Service Mesh 2, etc.) as Not Affected because the vulnerable code path is not present in those distributions.

CVSS provenance

nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
ghsa9.8CRITICAL
osv9.8CRITICAL
vulncheck9.8CRITICAL
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.