Who is affected by the Fastjson vulnerability CVE-2022-25845?

This vulnerability affects all Java applications that rely on Fastjson versions 1.2.80 or earlier and that pass user-controlled data to either the JSON.parse or JSON.parseObject APIs without specifying a specific class to deserialize.

How can CVE-2022-25845 be exploited?

An exploit that was published by YoungBear runs an arbitrary OS command by supplying a JSON.

How can CVE-2022-25845 be remediated?

To fully remediate CVE-2022-25845, we recommend upgrading Fastjson to the latest version, which is currently 1.2.83.

How can CVE-2022-25845 be mitigated?

Enabling Fastjson’s “Safe Mode” mitigates this vulnerability.

Is the JFrog Platform Vulnerable to this Fastjson vulnerability?

After conducting a comprehensive internal inspection, we concluded that the JFrog DevOps platform is not vulnerable to this latest Fastjson vulnerability.

CVE-2022-25845 - Fastjson RCE vulnerability analysis

CVE-2022-25845 – Analyzing the Fastjson “Auto Type Bypass” RCE vulnerability

A few weeks ago, a new version for Fastjson was released (1.2.83) which contains a fix for a security vulnerability that allegedly allows an attacker to execute code on a remote machine. According to several publications, this vulnerability allows an attacker to bypass the “AutoTypeCheck” mechanism in Fastjson and achieve remote code execution. This Fastjson … Continue reading CVE-2022-25845 – Analyzing the Fastjson “Auto Type Bypass” RCE vulnerability