ByteOS Network

CVE Vulnerability Details :

CVE-2025-70974

PUBLISHED

More Info Official Page

Assigner-mitre

Assigner Org ID-8254265b-2729-46b6-b9e3-3dfca2d5bfca

Published At-09 Jan, 2026 | 06:43

Updated At-09 Jan, 2026 | 21:37

▼CVE Numbering Authority (CNA)

Fastjson before 1.2.48 mishandles autoType because, when an @type key is in a JSON document, and the value of that key is the name of a Java class, there may be calls to certain public methods of that class. Depending on the behavior of those methods, there may be JNDI injection with an attacker-supplied payload located elsewhere in that JSON document. This was exploited in the wild in 2023 through 2025. NOTE: this issue exists because of an incomplete fix for CVE-2017-18349. Also, a later bypass is covered by CVE-2022-25845.

Affected Products

Vendor

Alibaba

Product

Fastjson

Default Status

unaffected

Versions

Affected

From 0 before 1.2.48 (custom)

Problem Types

Type	CWE ID	Description
CWE	CWE-829	CWE-829 Inclusion of Functionality from Untrusted Control Sphere

Type: CWE

CWE ID: CWE-829

Description: CWE-829 Inclusion of Functionality from Untrusted Control Sphere

Metrics

Version	Base score	Base severity	Vector
3.1	10.0	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Version: 3.1

Base score: 10.0

Base severity: CRITICAL

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

References

Hyperlink	Resource
https://github.com/alibaba/fastjson/compare/1.2.47...1.2.48	N/A
https://www.seebug.org/vuldb/ssvid-98020	N/A
https://www.cnvd.org.cn/flaw/show/CNVD-2019-22238	N/A
https://www.freebuf.com/vuls/208339.html	N/A
https://github.com/vulhub/vulhub/tree/master/fastjson/1.2.47-rce	N/A
https://www.cloudsek.com/blog/androxgh0st-continues-exploitation-operators-compromise-a-us-university-for-hosting-c2-logger	N/A
https://cert.360.cn/warning/detail?id=7240aeab581c6dc2c9c5350756079955	N/A