๐Ÿ” CVE Alert

CVE-2025-70974

CRITICAL 10.0
CVSS Score
10.0
EPSS Score
0.6%
EPSS Percentile
43th

Fastjson before 1.2.48 mishandles autoType because, when an @type key is in a JSON document, and the value of that key is the name of a Java class, there may be calls to certain public methods of that class. Depending on the behavior of those methods, there may be JNDI injection with an attacker-supplied payload located elsewhere in that JSON document. This was exploited in the wild in 2023 through 2025. NOTE: this issue exists because of an incomplete fix for CVE-2017-18349. Also, a later bypass is covered by CVE-2022-25845.

CWE CWE-829
Vendor alibaba
Product fastjson
Published Jan 9, 2026
Last Updated Jun 27, 2026
Stay Ahead of the Next One

Get instant alerts for alibaba fastjson

Be the first to know when new critical vulnerabilities affecting alibaba fastjson are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Affected Versions

Alibaba / Fastjson
0 < 1.2.48

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/alibaba/fastjson/compare/1.2.47...1.2.48 seebug.org: https://www.seebug.org/vuldb/ssvid-98020 cnvd.org.cn: https://www.cnvd.org.cn/flaw/show/CNVD-2019-22238 freebuf.com: https://www.freebuf.com/vuls/208339.html github.com: https://github.com/vulhub/vulhub/tree/master/fastjson/1.2.47-rce cloudsek.com: https://www.cloudsek.com/blog/androxgh0st-continues-exploitation-operators-compromise-a-us-university-for-hosting-c2-logger cert.360.cn: https://cert.360.cn/warning/detail?id=7240aeab581c6dc2c9c5350756079955 access.redhat.com: https://access.redhat.com/security/cve/CVE-2025-70974 bugzilla.redhat.com: https://bugzilla.redhat.com/show_bug.cgi?id=2428203 security.access.redhat.com: https://security.access.redhat.com/data/csaf/v2/vex/2025/cve-2025-70974.json