CVE-2022-25845 is a high-severity security flaw (rating 8.1 out of 10 on the CVSS scale) in the well-known Fastjson library which could be used in remote code execution attacks.
Fortunately, the vulnerability is already patched. The vulnerability stems from deserialization of untrusted data in the AutoType feature, and was fixed by the project maintainers in version 1.2.83.
CVE-2022-25845 Technical Details
According to security researcher Uriya Yavnieli from JFrog, the vulnerability “is still shrouded in mystery”. What is known is that it affects all Java apps relying on Fastjson versions 1.2.80 or earlier, and versions that pass user-controlled data to either the JSON.parse or JSON.parseObject APIs without specifying a specific class to deserialize.
“There are barely any public technical details about it – who exactly is vulnerable and under which conditions?,” the researcher added.
As per the official description, “Fastjson is a Java library that can be used to convert Java Objects into their JSON representation. It can also be used to convert a JSON string to an equivalent Java object.” The library can work with arbitrary Java objects including pre-existing objects for which developers have no source code.
AutoType, the vulnerable function, is enabled by default. It specifies a custom type when parsing a JSON input that can be deserialized into an object of the specific class.
A security issue appears if the deserialized JSON is user-controlled, parsing it with AutoType enabled. This can lead to a deserialization vulnerability, since threat actors can “instantiate any class that’s available on the Classpath, and feed its constructor with arbitrary arguments,” the researcher explained in his technical write-up.
The project owners circumvented the vulnerability by introducing a safe mode that disables AutoType. They also started maintaining a blocklist of classes to protect against such future issues. However, CVE-2022-25845 bypasses the restrictions and can create a remote code execution attack.
Fastjson users should update to version 1.2.83 or enable safeMode to turn the feature off and avoid deserialization attacks.