CVE-2022-25845
HIGH8.1EPSS 88.9%Unsafe deserialization in com.alibaba:fastjson
發布日:2022/6/11修改日:2026/3/13
描述
The package com.alibaba:fastjson before 1.2.83 is vulnerable to Deserialization of Untrusted Data by bypassing the default autoType shutdown restrictions, which is possible under certain conditions. Exploiting this vulnerability allows attacking remote servers. Workaround: If upgrading is not possible, you can enable [safeMode](https://github.com/alibaba/fastjson/wiki/fastjson_safemode).
受影響套件(1)
- Maven/com.alibaba:fastjson>= 1.2.25, < 1.2.83
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.1 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
參考連結(9)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-25845
- PATCHhttps://github.com/alibaba/fastjson
- WEBhttps://github.com/alibaba/fastjson/commit/35db4adad70c32089542f23c272def1ad920a60d
- WEBhttps://github.com/alibaba/fastjson/commit/8f3410f81cbd437f7c459f8868445d50ad301f15
- WEBhttps://github.com/alibaba/fastjson/releases/tag/1.2.83
- WEBhttps://github.com/alibaba/fastjson/wiki/security_update_20220523
- WEBhttps://snyk.io/vuln/SNYK-JAVA-COMALIBABA-2859222
- WEBhttps://www.ddosi.org/fastjson-poc
- WEBhttps://www.oracle.com/security-alerts/cpujul2022.html