Cybersecurity researchers have detailed a recently patched high-severity security vulnerability in the popular Fastjson library that could be potentially exploited to achieve remote code execution.
Tracked as CVE-2022-25845 -The package com.alibaba:fastjson before 1.2.83 are vulnerable to Deserialization of Untrusted Data by bypassing the default autoType shutdown restrictions, which is possible under certain conditions. Exploiting this vulnerability allows attacking remote servers.
All about this vulnerability
“This vulnerability affects all Java applications that rely on versions 1.2.80 or earlier and that pass user-controlled data to either the JSON.parse or JSON.parseObject APIs without specifying a specific class to deserialize,” JFrog’s Uriya Yavnieli said in a write-up.
Fastjson is a Java library that can be used to convert Java Objects into their JSON representation. It can also be used to convert a JSON string to an equivalent Java object. Fastjson can work with arbitrary Java objects including pre-existing objects that you do not have source-code of.
“However, if the desterilized JSON is user-controlled, parsing it with Autotyped enabled can lead to a deserialization security issue. Since the attacker can instantiate any class that’s available on the Classpath, and feed its constructor with arbitrary arguments,” Yavnieli explained.
Who is affected by the Fastjson vulnerability CVE-2022-25845?
This vulnerability affects all Java applications that rely on Fastjson versions 1.2.80 or earlier and that pass user-controlled data to either the