Lucene search
K

237 matches found

Github Security Blog
Github Security Blog
added 2026/01/09 9:31 a.m.23 views

FASTJSON Includes Functionality from Untrusted Control Sphere

Fastjson before 1.2.48 mishandles autoType because, when an @type key is in a JSON document, and the value of that key is the name of a Java class, there may be calls to certain public methods of that class. Depending on the behavior of those methods, there may be JNDI injection with an...

10CVSS7.2AI score0.0069EPSS
Exploits0References9Affected Software1
Snyk
Snyk
added 2026/01/09 7:41 a.m.6 views

Unsafe Dependency Resolution

Overview com.alibaba:fastjson is a fast JSON parser/generator for Java. Affected versions of this package are vulnerable to Unsafe Dependency Resolution due to the unsafe implementation of the checkAutoType function. An attacker can execute arbitrary code by supplying a crafted JSON document...

10CVSS9AI score0.0069EPSS
Exploits0References3
vulnersOsv
vulnersOsv
added 2026/01/09 7:41 a.m.8 views

ai.houyi:dorado (>=0.0.1 <=0.0.8), ai.houyi:dorado-core (>=0.0.11 <=0.0.51) +3602 more potentially affected by CVE-2025-70974 via com.alibaba:fastjson (>=1.1.15 <=1.2.47)

com.alibaba:fastjson MAVEN version =1.1.15, =0.0.1, =0.0.11, =0.0.16, =0.0.1, =0.0.14, =0.0.47, =0.0.14, =0.3.0, =3.0.0, =1.0.0, =1.0.1, =1.0.2 and more Source cves: CVE-2025-70974 Source advisory: SNYK:JAVA-COMALIBABA-14908847...

10CVSS7.8AI score0.0069EPSS
Exploits0
NVD
NVD
added 2026/01/09 7:16 a.m.10 views

CVE-2025-70974

Fastjson before 1.2.48 mishandles autoType because, when an @type key is in a JSON document, and the value of that key is the name of a Java class, there may be calls to certain public methods of that class. Depending on the behavior of those methods, there may be JNDI injection with an...

10CVSS0.0069EPSS
Exploits0References10
Vulnrichment
Vulnrichment
added 2026/01/09 6:43 a.m.13 views

CVE-2025-70974

Fastjson before 1.2.48 mishandles autoType because, when an @type key is in a JSON document, and the value of that key is the name of a Java class, there may be calls to certain public methods of that class. Depending on the behavior of those methods, there may be JNDI injection with an...

10CVSS6.7AI score0.0069EPSS
Exploits0References7
CVE
CVE
added 2026/01/09 6:43 a.m.54 views

CVE-2025-70974

CVE-2025-70974 concerns Alibaba Fastjson before 1.2.48. The issue arises from how autoType is handled: when a JSON document contains an @type key whose value is a Java class name, certain public methods may be invoked, enabling a JNDI injection with an attacker-controlled payload. The vulnerabili...

10CVSS6.7AI score0.0069EPSS
In wildExploits0References10
EUVD
EUVD
added 2026/01/09 6:43 a.m.9 views

EUVD-2026-1694

Fastjson before 1.2.48 mishandles autoType because, when an @type key is in a JSON document, and the value of that key is the name of a Java class, there may be calls to certain public methods of that class. Depending on the behavior of those methods, there may be JNDI injection with an...

10CVSS6.6AI score0.3897EPSS
Exploits7References9
Cvelist
Cvelist
added 2026/01/09 6:43 a.m.28 views

CVE-2025-70974

Fastjson before 1.2.48 mishandles autoType because, when an @type key is in a JSON document, and the value of that key is the name of a Java class, there may be calls to certain public methods of that class. Depending on the behavior of those methods, there may be JNDI injection with an...

10CVSS0.0069EPSS
Exploits0References7
CNNVD
CNNVD
added 2026/01/09 12:0 a.m.3 views

Fastjson 安全漏洞

Fastjson is Alibaba open source a Java-based fast JSON parser/generator . Fastjson versions prior to 1.2.48 security vulnerability , the vulnerability stems from improper handling of automatic types , which may lead to JNDI injection attacks...

10CVSS9.4AI score0.0069EPSS
Exploits0References7
Positive Technologies
Positive Technologies
added 2026/01/09 12:0 a.m.6 views

PT-2026-1957

Name of the Vulnerable Software and Affected Versions Alibaba Fastjson versions prior to 1.2.48 Description The software contains a critical deserialization issue due to improper handling of the autoType feature, which could allow for remote code execution. The issue arises when a JSON document...

10CVSS9.9AI score0.0069EPSS
Exploits0References19
vulnersOsv
vulnersOsv
added 2025/11/28 6:30 p.m.14 views

cc.ddrpa.dorian.polystash:polystash-spring-boot-starter (=1.0.0), com.alibaba.fastjson2:fastjson2-extension (>=2.0.27 <=2.0.62) +39 more potentially affected by CVE-2025-12183 via org.lz4:lz4-pure-java (=1.8.0)

org.lz4:lz4-pure-java MAVEN version =1.8.0 is affected by a known vulnerability. The following packages have a transitive dependency on org.lz4:lz4-pure-java and may be impacted: - cc.ddrpa.dorian.polystash:polystash-spring-boot-starter =1.0.0 - com.alibaba.fastjson2:fastjson2-extension =2.0.27,...

8.8CVSS6.8AI score0.00647EPSS
Exploits0
RedhatCVE
RedhatCVE
added 2025/11/26 12:42 a.m.7 views

CVE-2025-51744

An issue was discovered in jishenghua JSHERP 2.3.1. The /user/addUser endpoint is vulnerable to fastjson deserialization attacks...

9.8CVSS7.1AI score0.00407EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/11/26 12:42 a.m.7 views

CVE-2025-51746

An issue was discovered in jishenghua JSHERP 2.3.1. The /serialNumber/addSerialNumber endpoint is vulnerable to fastjson deserialization attacks...

9.8CVSS7.1AI score0.00407EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/11/26 12:42 a.m.8 views

CVE-2025-51743

An issue was discovered in jishenghua JSHERP 2.3.1. The /materialCategory/addMaterialCategory endpoint is vulnerable to fastjson deserialization attacks...

9.8CVSS7.1AI score0.00407EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/11/26 12:42 a.m.9 views

CVE-2025-51742

An issue was discovered in jishenghua JSHERP 2.3.1. The /material/getMaterialEnableSerialNumberList endpoint passes the search query parameter directly to parseObject, introducing a Fastjson deserialization vulnerability that can lead to RCE via JDBC payloads...

9.8CVSS7AI score0.00407EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/11/26 12:42 a.m.13 views

CVE-2025-51745

An issue was discovered in jishenghua JSHERP 2.3.1. The /role/addcan endpoint is vulnerable to fastjson deserialization attacks...

9.8CVSS7.1AI score0.00407EPSS
Exploits0References1
EUVD
EUVD
added 2025/11/25 9:32 p.m.4 views

EUVD-2025-199651

An issue was discovered in jishenghua JSHERP 2.3.1. The /materialCategory/addMaterialCategory endpoint is vulnerable to fastjson deserialization attacks...

6.5AI score0.00407EPSS
Exploits0References5
EUVD
EUVD
added 2025/11/25 9:32 p.m.6 views

EUVD-2025-199649

An issue was discovered in jishenghua JSHERP 2.3.1. The /role/addcan endpoint is vulnerable to fastjson deserialization attacks...

6.5AI score0.00407EPSS
Exploits0References5
EUVD
EUVD
added 2025/11/25 9:32 p.m.5 views

EUVD-2025-199650

An issue was discovered in jishenghua JSHERP 2.3.1. The /user/addUser endpoint is vulnerable to fastjson deserialization attacks...

6.5AI score0.00407EPSS
Exploits0References5
EUVD
EUVD
added 2025/11/25 9:32 p.m.5 views

EUVD-2025-199648

An issue was discovered in jishenghua JSHERP 2.3.1. The /serialNumber/addSerialNumber endpoint is vulnerable to fastjson deserialization attacks...

6.5AI score0.00407EPSS
Exploits0References5
Rows per page
Query Builder