Java
CVE-2025-70974
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
3Blast Radius
ecosystem impact- 190 maven packages depend on com.alibaba:fastjson (47 direct, 143 indirect)
Ecosystem-wide dependent count for version 1.2.48.
DescriptionCVE.org
Fastjson before 1.2.48 mishandles autoType because, when an @type key is in a JSON document, and the value of that key is the name of a Java class, there may be calls to certain public methods of that class. Depending on the behavior of those methods, there may be JNDI injection with an attacker-supplied payload located elsewhere in that JSON document. This was exploited in the wild in 2023 through 2025. NOTE: this issue exists because of an incomplete fix for CVE-2017-18349. Also, a later bypass is covered by CVE-2022-25845.
AnalysisAI
Fastjson before 1.2.48 has a well-known autoType deserialization vulnerability enabling JNDI injection and RCE. Exploited in the wild since 2023 through GodzillaWebShell. Maximum CVSS 10.0 with scope change.
Technical ContextAI
When an @type key in JSON specifies a Java class, Fastjson instantiates it and calls its methods (CWE-829). An attacker can reference JNDI-capable classes that connect to attacker-controlled LDAP/RMI servers, which return malicious Java objects for code execution. This is the same class of vulnerability as Log4Shell.
Affected ProductsAI
Fastjson before 1.2.48
RemediationAI
Upgrade Fastjson to 1.2.83+ or migrate to fastjson2. Implement JNDI restrictions (JDK 8u191+ helps but is not sufficient). Monitor for GodzillaWebShell indicators.
Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m
Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti
Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent
Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug
JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up
Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up
The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow
Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla
The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during
Same technique Authentication Bypass
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-jm7w-5684-pvh8