CVE-2022-25845
Deserialization of Untrusted Data
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
6Exploited in Wild
-Decision
Descriptions
The package com.alibaba:fastjson before 1.2.83 are vulnerable to Deserialization of Untrusted Data by bypassing the default autoType shutdown restrictions, which is possible under certain conditions. Exploiting this vulnerability allows attacking remote servers. Workaround: If upgrading is not possible, you can enable [safeMode](https://github.com/alibaba/fastjson/wiki/fastjson_safemode).
El paquete com.alibaba:fastjson versiones anteriores a 1.2.83, es vulnerable a una Deserialización de Datos No Confiables al omitir las restricciones de cierre de autoType por defecto, lo cual es posible bajo determinadas condiciones. La explotación de esta vulnerabilidad permite atacar servidores remotos. Mitigación: Si la actualización no es posible, puede habilitar [safeMode](https://github.com/alibaba/fastjson/wiki/fastjson_safemode)
A flaw was found in com.alibaba:fastjson, a fast JSON parser/generator for Java. Affected versions of this package are vulnerable to Deserialization of Untrusted Data by bypassing the default autoType shutdown restrictions, which is possible under certain conditions.
This release of Red Hat Fuse 7.11.0 serves as a replacement for Red Hat Fuse 7.10 and includes bug fixes and enhancements, which are documented in the Release Notes document linked in the References. Issues addressed include HTTP request smuggling, bypass, code execution, denial of service, deserialization, information leakage, memory leak, privilege escalation, and traversal vulnerabilities.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2022-02-24 CVE Reserved
- 2022-06-10 CVE Published
- 2023-03-01 First Exploit
- 2024-09-16 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-502: Deserialization of Untrusted Data
CAPEC
References (14)
| URL | Tag | Source |
|---|---|---|
| https://github.com/alibaba/fastjson/releases/tag/1.2.83 | Release Notes | |
| https://github.com/alibaba/fastjson/wiki/security_update_20220523 | Third Party Advisory | |
| https://snyk.io/vuln/SNYK-JAVA-COMALIBABA-2859222 | Third Party Advisory |
| URL | Date | SRC |
|---|---|---|
| https://github.com/nerowander/CVE-2022-25845-exploit | 2023-03-01 | |
| https://github.com/hosch3n/FastjsonVulns | 2024-11-28 | |
| https://github.com/scabench/fastjson-tp1fn1 | 2024-01-29 | |
| https://github.com/luelueking/CVE-2022-25845-In-Spring | 2024-12-06 | |
| https://github.com/ph0ebus/CVE-2022-25845-In-Spring | 2024-12-01 | |
| https://www.ddosi.org/fastjson-poc | 2024-09-16 |
| URL | Date | SRC |
|---|---|---|
| https://access.redhat.com/security/cve/CVE-2022-25845 | 2022-07-07 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2100654 | 2022-07-07 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Alibaba Search vendor "Alibaba" | Fastjson Search vendor "Alibaba" for product "Fastjson" | < 1.2.83 Search vendor "Alibaba" for product "Fastjson" and version " < 1.2.83" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Cloud Native Core Unified Data Repository Search vendor "Oracle" for product "Communications Cloud Native Core Unified Data Repository" | 22.2.0 Search vendor "Oracle" for product "Communications Cloud Native Core Unified Data Repository" and version "22.2.0" | - |
Affected
| ||||||