CVE-2025-70974
CRITICAL
GHSA-jm7w-5684-pvh8
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
3Description
Fastjson before 1.2.48 mishandles autoType because, when an @type key is in a JSON document, and the value of that key is the name of a Java class, there may be calls to certain public methods of that class. Depending on the behavior of those methods, there may be JNDI injection with an attacker-supplied payload located elsewhere in that JSON document. This was exploited in the wild in 2023 through 2025. NOTE: this issue exists because of an incomplete fix for CVE-2017-18349. Also, a later bypass is covered by CVE-2022-25845.
Analysis
Fastjson before 1.2.48 has a well-known autoType deserialization vulnerability enabling JNDI injection and RCE. Exploited in the wild since 2023 through GodzillaWebShell. Maximum CVSS 10.0 with scope change.
Technical Context
When an @type key in JSON specifies a Java class, Fastjson instantiates it and calls its methods (CWE-829). An attacker can reference JNDI-capable classes that connect to attacker-controlled LDAP/RMI servers, which return malicious Java objects for code execution. This is the same class of vulnerability as Log4Shell.
Affected Products
Fastjson before 1.2.48
Remediation
Upgrade Fastjson to 1.2.83+ or migrate to fastjson2. Implement JNDI restrictions (JDK 8u191+ helps but is not sufficient). Monitor for GodzillaWebShell indicators.
Priority Score
Vendor Status
Share
External POC / Exploit Code
Leaving vuln.today