Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2022-25845

Good to know:

icon
icon

Date: June 10, 2022

The package com.alibaba:fastjson before 1.2.83 are vulnerable to Deserialization of Untrusted Data by bypassing the default autoType shutdown restrictions, which is possible under certain conditions. Exploiting this vulnerability allows attacking remote servers. Workaround: If upgrading is not possible, you can enable [safeMode](https://github.com/alibaba/fastjson/wiki/fastjson_safemode).

Language: Java

Severity Score

Related Resources (10)

https://nvd.nist.gov/vuln/detail/CVE-2022-25845
https://www.ddosi.org/fastjson-poc/
https://github.com/alibaba/fastjson/wiki/security_update_20220523
https://github.com/alibaba/fastjson/releases/tag/1.2.83
https://github.com/alibaba/fastjson/commit/8f3410f81cbd437f7c459f8868445d50ad301f15
https://github.com/alibaba/fastjson
https://www.oracle.com/security-alerts/cpujul2022.html
https://github.com/alibaba/fastjson/commit/35db4adad70c32089542f23c272def1ad920a60d
https://www.ddosi.org/fastjson-poc
https://www.mend.io/vulnerability-database/CVE-2022-25845

Severity Score

Weakness Type (CWE)

Deserialization of Untrusted Data

CWE-502

Top Fix

icon

Upgrade Version

Upgrade to version com.alibaba:fastjson:1.2.83

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): HIGH
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): HIGH
Integrity (I): HIGH
Availability (A): HIGH

CVSS v2

Base Score:
Access Vector (AV): NETWORK
Access Complexity (AC): MEDIUM
Authentication (AU): NONE
Confidentiality (C): PARTIAL
Integrity (I): PARTIAL
Availability (A): PARTIAL
Additional information:

Do you need more information?

Contact Us