The vulnerability is tracked as CVE-2022-25845 (has a score of 8.1 on the CVSS scale) and is associated with the deselerization of untrusted data in the AutoType function. The maintainers of the project fixed the vulnerability in version 1.2.83, released on May 23, 2022.
“This vulnerability affects all Java applications that transmit user-controlled data to the JSON.parse or JSON.ParseObject API without specifying a specific class for deserialization and use Fastjson 1.2.80 and earlier versions of the library,” said Uriya Yavnieli of JFrog in his letter.
Fastjson is a Java library that is used to convert Java objects to their JSON and vice versa. The vulnerable AutoType function is enabled by default and is designed to specify a custom type when parsing JSON input data, which can then be deserialized into an object of the corresponding class.
“However, if the deserialized JSON is controlled by the user, parsing it with AutoType enabled can lead to unsafe deserialization, since an attacker can create any class available in Classpath and pass arbitrary arguments to its constructor,” Yavneli explained.
Although the maintainers of the project previously introduced safeMode mode, disabling AutoType, and began to maintain a block list of classes to protect against deserialization vulnerabilities, CVE-2022-25845 bypasses restrictions and allows attackers to execute code remotely.
Experts recommend that Fastjson users update the library version to 1.2.83 or enable safeMode, which disables the function regardless of the allowlist and blocklist used.