CVE-2022-25845

Public Exploit

Deserialization of Untrusted Data

Description

The package com.alibaba:fastjson before 1.2.83 are vulnerable to Deserialization of Untrusted Data by bypassing the default autoType shutdown restrictions, which is possible under certain conditions. Exploiting this vulnerability allows attacking remote servers. Workaround: If upgrading is not possible, you can enable [safeMode](https://github.com/alibaba/fastjson/wiki/fastjson_safemode).

References

Link	Tags
https://snyk.io/vuln/SNYK-JAVA-COMALIBABA-2859222	third party advisory
https://www.ddosi.org/fastjson-poc/	third party advisory exploit
https://github.com/alibaba/fastjson/commit/8f3410f81cbd437f7c459f8868445d50ad301f15	third party advisory patch
https://github.com/alibaba/fastjson/commit/35db4adad70c32089542f23c272def1ad920a60d	third party advisory patch
https://github.com/alibaba/fastjson/wiki/security_update_20220523	third party advisory
https://github.com/alibaba/fastjson/releases/tag/1.2.83	third party advisory release notes
https://www.oracle.com/security-alerts/cpujul2022.html	third party advisory patch

Frequently Asked Questions

What is the severity of CVE-2022-25845?: CVE-2022-25845 has been scored as a high severity vulnerability.
How to fix CVE-2022-25845?: To fix CVE-2022-25845, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2022-25845 being actively exploited in the wild?: It is possible that CVE-2022-25845 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~90% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2022-25845?: CVE-2022-25845 affects n/a com.alibaba:fastjson.

Description

Category

CWE-502 – Deserialization of Untrusted Data

References

Frequently Asked Questions