CVE-2022-25845 The package com.alibaba:fastjson before 1.2.83 are vulnerable to Deserialization of Untrusted Data, which is possible under certain conditions.
- You can enable safemode by setting `safeJsonType to false and safeJsonPadding to `. - Another way to avoid this issue is to deserialize json data using `. - You can use a data type that is not vulnerable to this issue. For example, `. - You can disable auto type and choose your own data type. - Be cautious when you receive large amount of json data. - Check your server certificate. - Check your server configuration. - This issue can be mitigated by upgrading to fastjson 1.2.83 or later. - Another way to avoid this issue is to deserialize json data using `. - You can use a data type that is not vulnerable to this issue. For example, `. - You can disable auto type and choose your own data type. - Be cautious when you receive large amount of json data. - Check your server certificate. - Check your server configuration. - This issue can be mitigated by upgrading to fastjson 1.2.83 or later. - Another way to avoid this issue is to deserialize json data using `. - You can disable auto type and choose your own data type. - Be cautious when you receive large amount of json data. - Check your server certificate. - Check your server configuration. - This issue can be mitigated by upgrading to fastjson 1.2.83 or later. - Another way to avoid this issue is to deserialize json
JSON Object Type Confusion
This vulnerability can be mitigated by upgrading to fastjson 1.2.83 or later.
The vulnerability can be avoided by deserializing the object using `. 
- You can enable safemode by setting `safeJsonType to false and safeJsonPadding to `
- Another way to avoid this issue is to deserialize json data using `
- You can use a data type that is not vulnerable to this issue. For example, `
- You can disable auto type and choose your own data type.
- Be cautious when you receive large amount of json data. - Check your server certificate. - Check your server configuration. - This issue can be mitigated by upgrading to fastjson 1.2.83 or later 
- Another way to avoid this issue is to deserialize json data using `
- You can disable auto type and choose your own data type
Timeline
Published on: 06/10/2022 20:15:00 UTC
Last modified on: 07/25/2022 18:22:00 UTC
References
- https://www.ddosi.org/fastjson-poc/
- https://github.com/alibaba/fastjson/commit/8f3410f81cbd437f7c459f8868445d50ad301f15
- https://github.com/alibaba/fastjson/releases/tag/1.2.83
- https://github.com/alibaba/fastjson/commit/35db4adad70c32089542f23c272def1ad920a60d
- https://github.com/alibaba/fastjson/wiki/security_update_20220523
- https://snyk.io/vuln/SNYK-JAVA-COMALIBABA-2859222
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-25845