FKIE_CVE-2025-70974

Vulnerability from fkie_nvd - Published: 2026-01-09 07:16 - Updated: 2026-04-15 00:35
Severity ?
10.0 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Summary
Fastjson before 1.2.48 mishandles autoType because, when an @type key is in a JSON document, and the value of that key is the name of a Java class, there may be calls to certain public methods of that class. Depending on the behavior of those methods, there may be JNDI injection with an attacker-supplied payload located elsewhere in that JSON document. This was exploited in the wild in 2023 through 2025. NOTE: this issue exists because of an incomplete fix for CVE-2017-18349. Also, a later bypass is covered by CVE-2022-25845.
References
cve@mitre.orghttps://cert.360.cn/warning/detail?id=7240aeab581c6dc2c9c5350756079955
cve@mitre.orghttps://github.com/alibaba/fastjson/compare/1.2.47...1.2.48
cve@mitre.orghttps://github.com/vulhub/vulhub/tree/master/fastjson/1.2.47-rce
cve@mitre.orghttps://www.cloudsek.com/blog/androxgh0st-continues-exploitation-operators-compromise-a-us-university-for-hosting-c2-logger
cve@mitre.orghttps://www.cnvd.org.cn/flaw/show/CNVD-2019-22238
cve@mitre.orghttps://www.freebuf.com/vuls/208339.html
cve@mitre.orghttps://www.seebug.org/vuldb/ssvid-98020
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Fastjson before 1.2.48 mishandles autoType because, when an @type key is in a JSON document, and the value of that key is the name of a Java class, there may be calls to certain public methods of that class. Depending on the behavior of those methods, there may be JNDI injection with an attacker-supplied payload located elsewhere in that JSON document. This was exploited in the wild in 2023 through 2025. NOTE: this issue exists because of an incomplete fix for CVE-2017-18349. Also, a later bypass is covered by CVE-2022-25845."
    },
    {
      "lang": "es",
      "value": "Fastjson anterior a 1.2.48 maneja incorrectamente autoType porque, cuando una clave @type est\u00e1 en un documento JSON y el valor de esa clave es el nombre de una clase Java, puede haber llamadas a ciertos m\u00e9todos p\u00fablicos de esa clase. Dependiendo del comportamiento de esos m\u00e9todos, puede haber inyecci\u00f3n JNDI con una carga \u00fatil proporcionada por el atacante ubicada en otra parte de ese documento JSON. Esto fue explotado en la naturaleza entre 2023 y 2025. NOTA: este problema existe debido a una correcci\u00f3n incompleta para CVE-2017-18349. Adem\u00e1s, una omisi\u00f3n posterior est\u00e1 cubierta por CVE-2022-25845."
    }
  ],
  "id": "CVE-2025-70974",
  "lastModified": "2026-04-15T00:35:42.020",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 10.0,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 6.0,
        "source": "cve@mitre.org",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-01-09T07:16:02.677",
  "references": [
    {
      "source": "cve@mitre.org",
      "url": "https://cert.360.cn/warning/detail?id=7240aeab581c6dc2c9c5350756079955"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://github.com/alibaba/fastjson/compare/1.2.47...1.2.48"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://github.com/vulhub/vulhub/tree/master/fastjson/1.2.47-rce"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://www.cloudsek.com/blog/androxgh0st-continues-exploitation-operators-compromise-a-us-university-for-hosting-c2-logger"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://www.cnvd.org.cn/flaw/show/CNVD-2019-22238"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://www.freebuf.com/vuls/208339.html"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://www.seebug.org/vuldb/ssvid-98020"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-829"
        }
      ],
      "source": "cve@mitre.org",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.