CVE-2025-70974
published 2026-01-09CVE-2025-70974: Fastjson before 1.2.48 mishandles autoType because, when an @type key is in a JSON document, and the value of that key is the name of a Java class, there may…
PriorityP181critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
0.69%
48.1th percentile
Fastjson before 1.2.48 mishandles autoType because, when an @type key is in a JSON document, and the value of that key is the name of a Java class, there may be calls to certain public methods of that class. Depending on the behavior of those methods, there may be JNDI injection with an attacker-supplied payload located elsewhere in that JSON document. This was exploited in the wild in 2023 through 2025. NOTE: this issue exists because of an incomplete fix for CVE-2017-18349. Also, a later bypass is covered by CVE-2022-25845.
Detection & IOCsextracted from sources · hover to see the quote
other@type key in JSON document used for JNDI injection payload delivery
- →Inspect incoming JSON documents for the presence of an `@type` key — this is the trigger for Fastjson's autoType feature and the entry point for exploitation.
- →Look for JNDI injection strings (e.g., ldap://, rmi://, dns://) appearing elsewhere in the same JSON document that also contains an `@type` key, as the attacker-supplied JNDI payload is placed in a separate field.
- →Flag or block use of Fastjson versions prior to 1.2.48 in your environment, as all such versions are vulnerable to this autoType mishandling leading to RCE.
- →Treat this as an actively exploited vulnerability; prioritize detection and response given confirmed in-the-wild exploitation spanning 2023 through 2025.
- ·This CVE is an incomplete fix for CVE-2017-18349; environments that patched only for CVE-2017-18349 may still be vulnerable. A further bypass is separately tracked as CVE-2022-25845. ↗
- ·Red Hat has assessed all listed products (Red Hat build of Apache Camel for Spring Boot 4, Debezium 2/3, Red Hat Fuse 7, JBoss EAP 8, OpenShift Service Mesh 2, etc.) as Not Affected because the vulnerable code path is not present in those distributions. ↗
CVSS provenance
nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
ghsa9.8CRITICAL
osv9.8CRITICAL
vulncheck9.8CRITICAL
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
fastjson: Fastjson: Remote Code Execution via JNDI Injection due to autoType mishandling
vendor_redhat·2026-01-09·CVSS 9.8
CVE-2025-70974 [CRITICAL] CWE-829 fastjson: Fastjson: Remote Code Execution via JNDI Injection due to autoType mishandling
fastjson: Fastjson: Remote Code Execution via JNDI Injection due to autoType mishandling
Fastjson before 1.2.48 mishandles autoType because, when an @type key is in a JSON document, and the value of that key is the name of a Java class, there may be calls to certain public methods of that class. Depending on the behavior of those methods, there may be JNDI injection with an attacker-supplied payload located elsewhere in that JSON document. This was exploited in the wild in 2023 through 2025. NOTE: this issue exists because of an incomplete fix for CVE-2017-18349. Also, a later bypass is covered by CVE-2022-25845.
A flaw was found in Fastjson, a popular Java library for converting Java objects to JSON and vice versa. This vulnerability allows a remote attacker to execute arbitrary code on
OSV
FASTJSON Includes Functionality from Untrusted Control Sphere
osv·2026-01-09·CVSS 9.8
CVE-2025-70974 [CRITICAL] FASTJSON Includes Functionality from Untrusted Control Sphere
FASTJSON Includes Functionality from Untrusted Control Sphere
Fastjson before 1.2.48 mishandles autoType because, when an `@type` key is in a JSON document, and the value of that key is the name of a Java class, there may be calls to certain public methods of that class. Depending on the behavior of those methods, there may be JNDI injection with an attacker-supplied payload located elsewhere in that JSON document. This was exploited in the wild in 2023 through 2025. NOTE: this issue exists because of an incomplete fix for CVE-2017-18349. Also, a later bypass is covered by CVE-2022-25845.
GHSA
FASTJSON Includes Functionality from Untrusted Control Sphere
ghsa·2026-01-09·CVSS 9.8
CVE-2025-70974 [CRITICAL] CWE-829 FASTJSON Includes Functionality from Untrusted Control Sphere
FASTJSON Includes Functionality from Untrusted Control Sphere
Fastjson before 1.2.48 mishandles autoType because, when an `@type` key is in a JSON document, and the value of that key is the name of a Java class, there may be calls to certain public methods of that class. Depending on the behavior of those methods, there may be JNDI injection with an attacker-supplied payload located elsewhere in that JSON document. This was exploited in the wild in 2023 through 2025. NOTE: this issue exists because of an incomplete fix for CVE-2017-18349. Also, a later bypass is covered by CVE-2022-25845.
VulnCheck
alibaba fastjson Inclusion of Functionality from Untrusted Control Sphere
vulncheck·2025·CVSS 9.8
CVE-2025-70974 [CRITICAL] alibaba fastjson Inclusion of Functionality from Untrusted Control Sphere
alibaba fastjson Inclusion of Functionality from Untrusted Control Sphere
Fastjson before 1.2.48 mishandles autoType because, when an @type key is in a JSON document, and the value of that key is the name of a Java class, there may be calls to certain public methods of that class. Depending on the behavior of those methods, there may be JNDI injection with an attacker-supplied payload located elsewhere in that JSON document. This was exploited in the wild in 2023 through 2025. NOTE: this issue exists because of an incomplete fix for CVE-2017-18349. Also, a later bypass is covered by CVE-2022-25845.
Affected: alibaba fastjson
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploit
No detection rules found.
No public exploits indexed.
https://cert.360.cn/warning/detail?id=7240aeab581c6dc2c9c5350756079955https://github.com/alibaba/fastjson/compare/1.2.47...1.2.48https://github.com/vulhub/vulhub/tree/master/fastjson/1.2.47-rcehttps://www.cloudsek.com/blog/androxgh0st-continues-exploitation-operators-compromise-a-us-university-for-hosting-c2-loggerhttps://www.cnvd.org.cn/flaw/show/CNVD-2019-22238https://www.freebuf.com/vuls/208339.htmlhttps://www.seebug.org/vuldb/ssvid-98020https://access.redhat.com/security/cve/CVE-2025-70974https://bugzilla.redhat.com/show_bug.cgi?id=2428203https://security.access.redhat.com/data/csaf/v2/vex/2025/cve-2025-70974.json
2026-01-09
Published
Exploited in the wild