Description

Fastjson before 1.2.48 mishandles autoType because, when an @type key is in a JSON document, and the value of that key is the name of a Java class, there may be calls to certain public methods of that class. Depending on the behavior of those methods, there may be JNDI injection with an attacker-supplied payload located elsewhere in that JSON document. This was exploited in the wild in 2023 through 2025. NOTE: this issue exists because of an incomplete fix for CVE-2017-18349. Also, a later bypass is covered by CVE-2022-25845.

INFO

Published Date :

2026-01-09T06:43:23.584Z

Last Modified :

2026-01-09T21:37:10.756Z

Source :

mitre
AFFECTED PRODUCTS

The following products are affected by CVE-2025-70974 vulnerability.

Vendors Products
Alibaba
  • Fastjson
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-70974.

URL Resource
https://cert.360.cn/warning/detail?id=7240aeab581c6dc2c9c5350756079955 cve-icon cve-icon
https://github.com/alibaba/fastjson/compare/1.2.47...1.2.48 cve-icon cve-icon
https://github.com/vulhub/vulhub/tree/master/fastjson/1.2.47-rce cve-icon cve-icon
https://www.cloudsek.com/blog/androxgh0st-continues-exploitation-operators-compromise-a-us-university-for-hosting-c2-logger cve-icon cve-icon
https://www.cnvd.org.cn/flaw/show/CNVD-2019-22238 cve-icon cve-icon
https://www.freebuf.com/vuls/208339.html cve-icon cve-icon
https://www.seebug.org/vuldb/ssvid-98020 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact