Who is affected by the Fastjson vulnerability CVE-2022-25845?

This vulnerability affects all Java applications that rely on Fastjson versions 1.2.80 or earlier and that pass user-controlled data to either the JSON.parse or JSON.parseObject APIs without specifying a specific class to deserialize.

How can CVE-2022-25845 be exploited?

An exploit that was published by YoungBear runs an arbitrary OS command by supplying a JSON.

How can CVE-2022-25845 be remediated?

To fully remediate CVE-2022-25845, we recommend upgrading Fastjson to the latest version, which is currently 1.2.83.

How can CVE-2022-25845 be mitigated?

Enabling Fastjson’s “Safe Mode” mitigates this vulnerability.

Is the JFrog Platform Vulnerable to this Fastjson vulnerability?

After conducting a comprehensive internal inspection, we concluded that the JFrog DevOps platform is not vulnerable to this latest Fastjson vulnerability.

Xray Archives

Crashing Industrial Control Systems at Pwn2Own Miami 2022

August 25, 2022 Or Peles, Omer Kaspi and Uriya Yavnieli | 13 min read

Earlier this year, the JFrog Security research team competed in the Pwn2Own Miami 2022 hacking competition which focuses on Industrial Control Systems (ICS) security. We were proud to take part in this competition and join other researchers in the effort to make mission-critical industrial environments safe and secure. During the Pwn2Own Miami competition we competed…

Recapping Yalla! DevOps 2022

July 28, 2022 The JFrog Team | 9 min read

.twitter-tweet{margin-left: auto !important; margin-right: auto !important;} TL;DR Yalla! DevOps 2022 community event -- Learning. Networking. Fun. Driven by the DevOps community. All about the DevOps community. Yalla! DevOps was back again this year with an exciting lineup of content ranging from DevOps, DevSecOps, professional development and more. Local speakers from the DevOps community and industry…

How To Put Cloud Nimble to Work to Segment Dev/Test from Production

August 23, 2022 John Cabaniss and Gianni Truzzi | 7 min read

In every workplace, most work gets done at the most cluttered desks. Yet the business also requires an orderly front office to run efficiently. It’s much the same with your DevOps pipeline environments, as the rough and tumble process of innovating code must ultimately produce cleanly released applications. Continuous integration means that developers perform many…

7 Ways to Accelerate Cloud Native Development

July 21, 2022 Gianni Truzzi | 7 min read

Modern enterprises understand the need to move away from developing monolithic applications to ones that make best use of the cloud to enable business acceleration at scale and speed. That means transforming development to more resilient cloud native architectures that can be readily deployed to cloud, multi-cloud, and hybrid environments. What does it mean to…

JFrog Xray Integration with AWS Security Hub

July 26, 2022 Alex Hung, Sr. Software Developer & Daniel Miakotkin, Software Engineer | 5 min read

SecOps demands vigilance, but it requires visibility, too. With JFrog’s latest integration for Xray with AWS Security Hub, you can help make sure that discovered vulnerabilities are not just seen, but quickly acted on. AWS Security Hub is the cloud security posture management service available to AWS users. It provides central security administration across AWS…

How To Put Cloud Nimble to Work to Shift Left Security

July 20, 2022 John Cabaniss, Strategic Solutions Architect and Gianni Truzzi | 6 min read

Shifting security left means preventing developers from using unacceptably vulnerable software supply chain components as early as possible: before their first build. By helping assure that no build is ever created using packages with known vulnerabilities, this saves substantial remediation costs in advance. Some JFrog customers restrict the use of open source scanning software (OSS)…

Testing resiliency against malicious package attacks: a double-edged sword?

July 12, 2022 Andrey Polkovnychenko | 13 min read

The JFrog Security research team continuously monitors popular open-source software (OSS) repositories with our automated tooling to avert potential software supply chain security threats, and reports any vulnerabilities or malicious packages discovered to repository maintainers and the wider community. At times, we notice trends that are worth analyzing and learning from. Recently, we’ve noticed a…

Team Up on DevSecOps with JFrog Platform App for Microsoft Teams

July 11, 2022 Deep Datta and Karol Harezlak | 4 min read

The JFrog DevOps Platform is your mission-critical tool for your software development pipelines. The results of key binary management events in JFrog Artifactory, JFrog Xray, and JFrog istribution can reveal whether or not your software pipelines are on-track to deliver production-quality releases. The new JFrog Platform app for Microsoft Teams brings real-time visibility and awareness…

CVE-2022-30522 – Denial of Service (DoS) Vulnerability in Apache httpd “mod_sed” filter

June 28, 2022 Brian Moussalli | 8 min read

This past March we posted an analysis of a vulnerability in the Apache HTTP Server mod_sed filter module, CVE-2022-23943, in which a Denial of Service (DoS) can be triggered due to a miscalculation of buffers’ sizes. While analyzing this Apache httpd vulnerability and its patch, we suspected that although the fix resolved the issue, it…

CVE-2022-25845 – Analyzing the Fastjson “Auto Type Bypass” RCE vulnerability

June 14, 2022 Uriya Yavnieli | 11 min read

A few weeks ago, a new version for Fastjson was released (1.2.83) which contains a fix for a security vulnerability that allegedly allows an attacker to execute code on a remote machine. According to several publications, this vulnerability allows an attacker to bypass the “AutoTypeCheck” mechanism in Fastjson and achieve remote code execution. This Fastjson…

Welcome to the JFrog Blog

Latest from Xray :

How to Connect the JFrog Platform to Your GitHub Environment to Create a Seamless Integration