CVE-2022-25845
HIGH8.1EPSS 88.9%Unsafe deserialization in com.alibaba:fastjson
Published: 6/11/2022Modified: 3/13/2026
Also known as:GHSA-pv7h-hx5h-mgfj
Description
The package com.alibaba:fastjson before 1.2.83 is vulnerable to Deserialization of Untrusted Data by bypassing the default autoType shutdown restrictions, which is possible under certain conditions. Exploiting this vulnerability allows attacking remote servers. Workaround: If upgrading is not possible, you can enable [safeMode](https://github.com/alibaba/fastjson/wiki/fastjson_safemode).
Affected packages (1)
- Maven/com.alibaba:fastjson>= 1.2.25, < 1.2.83
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.1 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
References (9)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-25845
- PATCHhttps://github.com/alibaba/fastjson
- WEBhttps://github.com/alibaba/fastjson/commit/35db4adad70c32089542f23c272def1ad920a60d
- WEBhttps://github.com/alibaba/fastjson/commit/8f3410f81cbd437f7c459f8868445d50ad301f15
- WEBhttps://github.com/alibaba/fastjson/releases/tag/1.2.83
- WEBhttps://github.com/alibaba/fastjson/wiki/security_update_20220523
- WEBhttps://snyk.io/vuln/SNYK-JAVA-COMALIBABA-2859222
- WEBhttps://www.ddosi.org/fastjson-poc
- WEBhttps://www.oracle.com/security-alerts/cpujul2022.html