CVE-2022-25845: Unsafe deserialization in com.alibaba:fastjson
(updated )
The package com.alibaba:fastjson before 1.2.83 is vulnerable to Deserialization of Untrusted Data by bypassing the default autoType shutdown restrictions, which is possible under certain conditions. Exploiting this vulnerability allows attacking remote servers. Workaround: If upgrading is not possible, you can enable safeMode.
References
- github.com/advisories/GHSA-pv7h-hx5h-mgfj
- github.com/alibaba/fastjson/commit/35db4adad70c32089542f23c272def1ad920a60d
- github.com/alibaba/fastjson/commit/8f3410f81cbd437f7c459f8868445d50ad301f15
- github.com/alibaba/fastjson/releases/tag/1.2.83
- github.com/alibaba/fastjson/wiki/security_update_20220523
- nvd.nist.gov/vuln/detail/CVE-2022-25845
- snyk.io/vuln/SNYK-JAVA-COMALIBABA-2859222
- www.ddosi.org/fastjson-poc/
Detect and mitigate CVE-2022-25845 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →