CVE-2025-70974
CVE-2025-70974
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 10EPSS 0.6%KEV nãoPoC —Nuclei —Metasploit —Patch —
Lifecycle
09 Jan 2026Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
In short
Fastjson library before version 1.2.48 allows attackers to execute arbitrary code by embedding malicious Java class names in JSON documents. When processing JSON with @type fields, the library instantiates these classes and calls their methods, which can be exploited to inject and execute remote code.
Technical detail
Fastjson's autoType feature deserializes arbitrary Java classes specified via @type keys in JSON input without sufficient validation, enabling JNDI injection attacks. An attacker can craft a JSON payload that triggers instantiation of gadget classes whose constructors or methods execute arbitrary code; this is a deserialization RCE vulnerability that bypasses incomplete fixes from CVE-2017-18349.
Summary generated and translated by AI from the official description.
Fastjson before 1.2.48 mishandles autoType because, when an @type key is in a JSON document, and the value of that key is the name of a Java class, there may be calls to certain public methods of that class. Depending on the behavior of those methods, there may be JNDI injection with an attacker-supplied payload located elsewhere in that JSON document. This was exploited in the wild in 2023 through 2025. NOTE: this issue exists because of an incomplete fix for CVE-2017-18349. Also, a later bypass is covered by CVE-2022-25845.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H