Fastjson Insecure Deserialization - Remote Code Execution

parseObject in Fastjson before 1.2.25, as used in FastjsonEngine in Pippo 1.11.0 and other products, allows remote attackers to execute arbitrary code via a crafted JSON request, as demonstrated by a crafted rmi-// URI in the dataSourceName field of HTTP POST data to the Pippo /json URI, which is...

CVE-2017-18349

parseObject in Fastjson before 1.2.25, as used in FastjsonEngine in Pippo 1.11.0 and other products, allows remote attackers to execute arbitrary code via a crafted JSON request, as demonstrated by a crafted rmi:// URI in the dataSourceName field of HTTP POST data to the Pippo /json URI, which is...

FASTJSON Includes Functionality from Untrusted Control Sphere

Fastjson before 1.2.48 mishandles autoType because, when an @type key is in a JSON document, and the value of that key is the name of a Java class, there may be calls to certain public methods of that class. Depending on the behavior of those methods, there may be JNDI injection with an...

ai.houyi:dorado (>=0.0.1 <=0.0.8), ai.houyi:dorado-core (>=0.0.11 <=0.0.51) +3600 more potentially affected by CVE-2025-70974 via com.alibaba:fastjson (>=1.1.15 <=1.2.47)

com.alibaba:fastjson MAVEN version =1.1.15, =0.0.1, =0.0.11, =0.0.16, =0.0.1, =0.0.14, =0.0.47, =0.0.14, =0.3.0, =3.0.0, =1.0.0, =1.0.1, =1.0.2 and more Source cves: CVE-2025-70974 Source advisory: SNYK:JAVA-COMALIBABA-14908847...

EUVD-2026-1694

Fastjson before 1.2.48 mishandles autoType because, when an @type key is in a JSON document, and the value of that key is the name of a Java class, there may be calls to certain public methods of that class. Depending on the behavior of those methods, there may be JNDI injection with an...

CVE-2025-63617

ktg-mes before commit a484f96 2025-07-03 has a fastjson deserialization vulnerability. This is because it uses a vulnerable version of fastjson and deserializes unsafe input data...

EUVD-2025-50782

ktg-mes before commit a484f96 2025-07-03 has a fastjson deserialization vulnerability. This is because it uses a vulnerable version of fastjson and deserializes unsafe input data...

CVE-2025-63617

ktg-mes before commit a484f96 2025-07-03 has a fastjson deserialization vulnerability. This is because it uses a vulnerable version of fastjson and deserializes unsafe input data...

CVE-2025-63617

ktg-mes before commit a484f96 2025-07-03 has a fastjson deserialization vulnerability. This is because it uses a vulnerable version of fastjson and deserializes unsafe input data...

PT-2025-46192

Name of the Vulnerable Software and Affected Versions ktg-mes versions prior to commit a484f96 2025-07-03 Description The software contains a fastjson deserialization issue. This occurs due to the use of a vulnerable version of fastjson and the deserialization of untrusted input data...

CVE-2025-63617

CVE-2025-63617 affects ktg-mes prior to commit a484f96 (2025-07-03), featuring a deserialization vulnerability in fastjson due to deserializing unsafe input. Root cause: use of a vulnerable fastjson version in ktg-mes leading to incomplete input validation during deserialization. Impact (per CVSS...

EUVD-2024-53734

Malicious code in bioql PyPI...

EUVD-2024-53731

Malicious code in bioql PyPI...

EUVD-2024-53732

Malicious code in bioql PyPI...

CVE-2025-34067 Hikvision Integrated Security Management Platform Remote Command Execution via applyCT Fastjson

An unauthenticated remote command execution vulnerability exists in the applyCT component of the Hikvision Integrated Security Management Platform due to the use of a vulnerable version of the Fastjson library. The endpoint /bic/ssoService/v1/applyCT deserializes untrusted user input, allowing an...

CVE-2025-34067 Hikvision Integrated Security Management Platform Remote Command Execution via applyCT Fastjson

An unauthenticated remote command execution vulnerability exists in the applyCT component of the Hikvision Integrated Security Management Platform due to the use of a vulnerable version of the Fastjson library. The endpoint /bic/ssoService/v1/applyCT deserializes untrusted user input, allowing an...

VulnCheck KEV: CVE-2025-34067

An unauthenticated remote command execution vulnerability exists in the applyCT component of the Hikvision Integrated Security Management Platform due to the use of a vulnerable version of the Fastjson library. The endpoint /bic/ssoService/v1/applyCT deserializes untrusted user input, allowing an...

VulnCheck KEV: CVE-2025-70974

Fastjson before 1.2.48 mishandles autoType because, when an @type key is in a JSON document, and the value of that key is the name of a Java class, there may be calls to certain public methods of that class. Depending on the behavior of those methods, there may be JNDI injection with an...

CVE-2024-57763

MSFM before 2025.01.01 was discovered to contain a fastjson deserialization vulnerability via the component system/table/addField...

CVE-2024-57764

MSFM before 2025.01.01 was discovered to contain a fastjson deserialization vulnerability via the component system/table/add...