CVE-2025-70974
📋 TL;DR
This is a critical deserialization vulnerability in Fastjson that allows remote code execution via JNDI injection. Attackers can exploit it by sending specially crafted JSON documents containing malicious @type keys, potentially leading to full system compromise. Any application using vulnerable Fastjson versions for JSON parsing is affected.
💻 Affected Systems
- Fastjson
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system takeover with attacker executing arbitrary code, installing malware, stealing data, and pivoting to other systems.
Likely Case
Remote code execution leading to data theft, ransomware deployment, or cryptocurrency mining.
If Mitigated
Limited impact with proper network segmentation, but still potential for application compromise.
🎯 Exploit Status
Actively exploited in the wild from 2023-2025. Multiple public PoCs and exploit kits available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.2.48 or later
Vendor Advisory: https://github.com/alibaba/fastjson/compare/1.2.47...1.2.48
Restart Required: Yes
Instructions:
1. Update Fastjson dependency to version 1.2.48 or later. 2. Update pom.xml or build.gradle with new version. 3. Rebuild and redeploy application. 4. Restart application server.
🔧 Temporary Workarounds
Disable autoType feature
allConfigure Fastjson to disable the autoType feature which is required for exploitation
ParserConfig.getGlobalInstance().setAutoTypeSupport(false);
Use SafeMode
allEnable Fastjson's SafeMode to prevent deserialization of arbitrary classes
ParserConfig.getGlobalInstance().setSafeMode(true);
🧯 If You Can't Patch
- Implement strict input validation to reject JSON containing @type keys
- Deploy WAF rules to block requests containing suspicious @type patterns
🔍 How to Verify
Check if Vulnerable:
Check application dependencies for Fastjson version <1.2.48. Review pom.xml, build.gradle, or deployed JAR files.Check Version:
java -cp fastjson-*.jar com.alibaba.fastjson.JSON 2>&1 | grep versionVerify Fix Applied:
Confirm Fastjson version is 1.2.48 or later. Test with known exploit payloads to ensure they are rejected.📡 Detection & Monitoring
Log Indicators:
- Unusual JNDI lookup attempts in logs
- Exceptions related to ClassNotFoundException or autoType
- Suspicious @type values in request logs
Network Indicators:
- HTTP requests containing @type keys with unusual class names
- Outbound LDAP/RMI connections from application servers
SIEM Query:
source="application.logs" AND ("@type" OR "autoType" OR "JNDI")🔗 References
- https://cert.360.cn/warning/detail?id=7240aeab581c6dc2c9c5350756079955
- https://github.com/alibaba/fastjson/compare/1.2.47...1.2.48
- https://github.com/vulhub/vulhub/tree/master/fastjson/1.2.47-rce
- https://www.cloudsek.com/blog/androxgh0st-continues-exploitation-operators-compromise-a-us-university-for-hosting-c2-logger
- https://www.cnvd.org.cn/flaw/show/CNVD-2019-22238
- https://www.freebuf.com/vuls/208339.html
- https://www.seebug.org/vuldb/ssvid-98020
