CVE-2022-25845 – com.alibaba:fastjson

Package

Manager: maven
Name: com.alibaba:fastjson
Vulnerable Version: >=1.2.25 <1.2.83

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.89917 pctl0.99554

Details

Unsafe deserialization in com.alibaba:fastjson The package com.alibaba:fastjson before 1.2.83 is vulnerable to Deserialization of Untrusted Data by bypassing the default autoType shutdown restrictions, which is possible under certain conditions. Exploiting this vulnerability allows attacking remote servers. Workaround: If upgrading is not possible, you can enable [safeMode](https://github.com/alibaba/fastjson/wiki/fastjson_safemode).

Metadata

Created: 2022-06-11T00:00:17Z
Modified: 2024-05-15T06:28:35Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/06/GHSA-pv7h-hx5h-mgfj/GHSA-pv7h-hx5h-mgfj.json
CWE IDs: ["CWE-502"]
Alternative ID: GHSA-pv7h-hx5h-mgfj
Finding: F096
Auto approve: 1