Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2025-70974

Summary
Assigner-mitre
Assigner Org ID-8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At-09 Jan, 2026 | 06:43
Updated At-09 Jan, 2026 | 21:37
Rejected At-
Credits

Fastjson before 1.2.48 mishandles autoType because, when an @type key is in a JSON document, and the value of that key is the name of a Java class, there may be calls to certain public methods of that class. Depending on the behavior of those methods, there may be JNDI injection with an attacker-supplied payload located elsewhere in that JSON document. This was exploited in the wild in 2023 through 2025. NOTE: this issue exists because of an incomplete fix for CVE-2017-18349. Also, a later bypass is covered by CVE-2022-25845.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
â–¼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:mitre
Assigner Org ID:8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At:09 Jan, 2026 | 06:43
Updated At:09 Jan, 2026 | 21:37
Rejected At:
â–¼CVE Numbering Authority (CNA)

Fastjson before 1.2.48 mishandles autoType because, when an @type key is in a JSON document, and the value of that key is the name of a Java class, there may be calls to certain public methods of that class. Depending on the behavior of those methods, there may be JNDI injection with an attacker-supplied payload located elsewhere in that JSON document. This was exploited in the wild in 2023 through 2025. NOTE: this issue exists because of an incomplete fix for CVE-2017-18349. Also, a later bypass is covered by CVE-2022-25845.

Affected Products
Vendor
Alibaba
Product
Fastjson
Default Status
unaffected
Versions
Affected
  • From 0 before 1.2.48 (custom)
Problem Types
TypeCWE IDDescription
CWECWE-829CWE-829 Inclusion of Functionality from Untrusted Control Sphere
Type: CWE
CWE ID: CWE-829
Description: CWE-829 Inclusion of Functionality from Untrusted Control Sphere
Metrics
VersionBase scoreBase severityVector
3.110.0CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Version: 3.1
Base score: 10.0
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/alibaba/fastjson/compare/1.2.47...1.2.48
N/A
https://www.seebug.org/vuldb/ssvid-98020
N/A
https://www.cnvd.org.cn/flaw/show/CNVD-2019-22238
N/A
https://www.freebuf.com/vuls/208339.html
N/A
https://github.com/vulhub/vulhub/tree/master/fastjson/1.2.47-rce
N/A
https://www.cloudsek.com/blog/androxgh0st-continues-exploitation-operators-compromise-a-us-university-for-hosting-c2-logger
N/A
https://cert.360.cn/warning/detail?id=7240aeab581c6dc2c9c5350756079955
N/A
Hyperlink: https://github.com/alibaba/fastjson/compare/1.2.47...1.2.48
Resource: N/A
Hyperlink: https://www.seebug.org/vuldb/ssvid-98020
Resource: N/A
Hyperlink: https://www.cnvd.org.cn/flaw/show/CNVD-2019-22238
Resource: N/A
Hyperlink: https://www.freebuf.com/vuls/208339.html
Resource: N/A
Hyperlink: https://github.com/vulhub/vulhub/tree/master/fastjson/1.2.47-rce
Resource: N/A
Hyperlink: https://www.cloudsek.com/blog/androxgh0st-continues-exploitation-operators-compromise-a-us-university-for-hosting-c2-logger
Resource: N/A
Hyperlink: https://cert.360.cn/warning/detail?id=7240aeab581c6dc2c9c5350756079955
Resource: N/A
â–¼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
â–¼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cve@mitre.org
Published At:09 Jan, 2026 | 07:16
Updated At:13 Jan, 2026 | 14:03

Fastjson before 1.2.48 mishandles autoType because, when an @type key is in a JSON document, and the value of that key is the name of a Java class, there may be calls to certain public methods of that class. Depending on the behavior of those methods, there may be JNDI injection with an attacker-supplied payload located elsewhere in that JSON document. This was exploited in the wild in 2023 through 2025. NOTE: this issue exists because of an incomplete fix for CVE-2017-18349. Also, a later bypass is covered by CVE-2022-25845.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.110.0CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Type: Secondary
Version: 3.1
Base score: 10.0
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-829Primarycve@mitre.org
CWE ID: CWE-829
Type: Primary
Source: cve@mitre.org
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://cert.360.cn/warning/detail?id=7240aeab581c6dc2c9c5350756079955cve@mitre.org
N/A
https://github.com/alibaba/fastjson/compare/1.2.47...1.2.48cve@mitre.org
N/A
https://github.com/vulhub/vulhub/tree/master/fastjson/1.2.47-rcecve@mitre.org
N/A
https://www.cloudsek.com/blog/androxgh0st-continues-exploitation-operators-compromise-a-us-university-for-hosting-c2-loggercve@mitre.org
N/A
https://www.cnvd.org.cn/flaw/show/CNVD-2019-22238cve@mitre.org
N/A
https://www.freebuf.com/vuls/208339.htmlcve@mitre.org
N/A
https://www.seebug.org/vuldb/ssvid-98020cve@mitre.org
N/A
Hyperlink: https://cert.360.cn/warning/detail?id=7240aeab581c6dc2c9c5350756079955
Source: cve@mitre.org
Resource: N/A
Hyperlink: https://github.com/alibaba/fastjson/compare/1.2.47...1.2.48
Source: cve@mitre.org
Resource: N/A
Hyperlink: https://github.com/vulhub/vulhub/tree/master/fastjson/1.2.47-rce
Source: cve@mitre.org
Resource: N/A
Hyperlink: https://www.cloudsek.com/blog/androxgh0st-continues-exploitation-operators-compromise-a-us-university-for-hosting-c2-logger
Source: cve@mitre.org
Resource: N/A
Hyperlink: https://www.cnvd.org.cn/flaw/show/CNVD-2019-22238
Source: cve@mitre.org
Resource: N/A
Hyperlink: https://www.freebuf.com/vuls/208339.html
Source: cve@mitre.org
Resource: N/A
Hyperlink: https://www.seebug.org/vuldb/ssvid-98020
Source: cve@mitre.org
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

5Records found
CVE-2020-4561
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-10||CRITICAL
EPSS-0.87% / 74.88%
||
7 Day CHG~0.00%
Published-31 May, 2021 | 15:10
Updated-17 Sep, 2024 | 03:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM Cognos Analytics 11.0 and 11.1 DQM API allows submitting of all control requests in unauthenticated sessions. This allows a remote attacker who can access a valid CA endpoint to read and write files to the Cognos Analytics system. IBM X-Force ID: 183903.

Action-Not Available
Vendor-IBM CorporationNetApp, Inc.
Product-cognos_analyticsoncommand_insightCognos Analytics
CWE ID-CWE-829
Inclusion of Functionality from Untrusted Control Sphere
CVE-2021-41037
Matching Score-4
Assigner-Eclipse Foundation
ShareView Details
Matching Score-4
Assigner-Eclipse Foundation
CVSS Score-10||CRITICAL
EPSS-0.51% / 65.83%
||
7 Day CHG~0.00%
Published-08 Jul, 2022 | 03:50
Updated-04 Aug, 2024 | 02:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Eclipse p2, installable units are able to alter the Eclipse Platform installation and the local machine via touchpoints during installation. Those touchpoints can, for example, alter the command-line used to start the application, injecting things like agent or other settings that usually require particular attention in term of security. Although p2 has built-in strategies to ensure artifacts are signed and then to help establish trust, there is no such strategy for the metadata part that does configure such touchpoints. As a result, it's possible to install a unit that will run malicious code during installation without user receiving any warning about this installation step being risky when coming from untrusted source.

Action-Not Available
Vendor-Eclipse Foundation AISBL
Product-equinox_p2Eclipse Equinox p2equinox_p2
CWE ID-CWE-829
Inclusion of Functionality from Untrusted Control Sphere
CVE-2025-0982
Matching Score-4
Assigner-Google LLC
ShareView Details
Matching Score-4
Assigner-Google LLC
CVSS Score-9.4||CRITICAL
EPSS-0.08% / 22.74%
||
7 Day CHG~0.00%
Published-06 Feb, 2025 | 11:37
Updated-30 Jul, 2025 | 18:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Sandbox Escape in Google Cloud Application Integration's JavaScript Task (Rhino Engine)

Sandbox escape in the JavaScript Task feature of Google Cloud Application Integration allows an actor to execute arbitrary unsandboxed code via crafted JavaScript code executed by the Rhino engine. Effective January 24, 2025, Application Integration will no longer support Rhino as the JavaScript execution engine. No further fix actions are needed.

Action-Not Available
Vendor-Google LLCGoogle Cloud
Product-application_integrationApplication Integration
CWE ID-CWE-829
Inclusion of Functionality from Untrusted Control Sphere
CVE-2022-1161
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-10||CRITICAL
EPSS-0.12% / 30.92%
||
7 Day CHG~0.00%
Published-11 Apr, 2022 | 19:38
Updated-16 Apr, 2025 | 16:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ICSA-22-090-05 Rockwell Automation Logix Controllers

An attacker with the ability to modify a user program may change user program code on some ControlLogix, CompactLogix, and GuardLogix Control systems. Studio 5000 Logix Designer writes user-readable program code to a separate location than the executed compiled code, allowing an attacker to change one and not the other.

Action-Not Available
Vendor-Rockwell Automation, Inc.
Product-compactlogix_5380compactlogix_1769-l32e_firmwarecompactlogix_1769-l35crdrivelogix_5730guardlogix_5570guardlogix_5580compact_guardlogix_5370controllogix_5550_firmwaresoftlogix_5800_firmwarecontrollogix_5550compactlogix_1769-l32c_firmwarecompactlogix_1768-l43_firmwarecompactlogix_5370_l2_firmwarecompactlogix_1768-l45_firmwarecontrollogix_5570_firmwarecompactlogix_5480drivelogix_5730_firmwaresoftlogix_5800compactlogix_1769-l31compactlogix_5370_l3_firmwarecompactlogix_1768-l45compact_guardlogix_5370_firmwarecompact_guardlogix_5380_firmwarecontrollogix_5560compactlogix_1769-l35cr_firmwareguardlogix_5570_firmwareflexlogix_1794-l34_firmwarecontrollogix_5580compactlogix_5370_l3guardlogix_5560compactlogix_5480_firmwarecompactlogix_1768-l43compactlogix_5380_firmwarecompactlogix_1769-l35ecompactlogix_1769-l32eflexlogix_1794-l34compactlogix_5370_l1_firmwarecompactlogix_1769-l31_firmwarecontrollogix_5570compactlogix_5370_l2guardlogix_5560_firmwarecompact_guardlogix_5380controllogix_5580_firmwareguardlogix_5580_firmwarecompactlogix_1769-l35e_firmwarecompactlogix_1769-l32ccompactlogix_5370_l1controllogix_5560_firmwareCompact GuardLogix 5370 controllersControlLogix 5580 controllers1769 CompactLogix controllersCompactLogix 5380 controllersControlLogix 5550 controllersControlLogix 5560 controllers1768 CompactLogix controllersCompactLogix 5480 controllersCompactLogix 5370 controllersGuardLogix 5560 controllersGuardLogix 5580 controllersSoftLogix 5800 controllersFlexLogix 1794-L34 controllersDriveLogix 5730 controllersGuardLogix 5570 controllersControlLogix 5570 controllersCompact GuardLogix 5380 controllers
CWE ID-CWE-829
Inclusion of Functionality from Untrusted Control Sphere
CVE-2026-1699
Matching Score-4
Assigner-Eclipse Foundation
ShareView Details
Matching Score-4
Assigner-Eclipse Foundation
CVSS Score-10||CRITICAL
EPSS-0.03% / 10.12%
||
7 Day CHG~0.00%
Published-30 Jan, 2026 | 09:57
Updated-04 Feb, 2026 | 16:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In the Eclipse Theia Website repository, the GitHub Actions workflow .github/workflows/preview.yml used pull_request_target trigger while checking out and executing untrusted pull request code. This allowed any GitHub user to execute arbitrary code in the repository's CI environment with access to repository secrets and a GITHUB_TOKEN with extensive write permissions (contents:write, packages:write, pages:write, actions:write). An attacker could exfiltrate secrets, publish malicious packages to the eclipse-theia organization, modify the official Theia website, and push malicious code to the repository.

Action-Not Available
Vendor-Eclipse Foundation AISBL
Product-Eclipse Theia - Website
CWE ID-CWE-829
Inclusion of Functionality from Untrusted Control Sphere
Details not found