Share news article

Share on facebook
Share on twitter
Share on linkedin
Share on email

High-Severity RCE Vulnerability Reported in Popular Fastjson Library

Cybersecurity researchers have detailed a recently patched high-severity security vulnerability in the popular Fastjson library that could be potentially exploited to achieve remote code execution.

Tracked as CVE-2022-25845 (CVSS score: 8.1), the issue relates to a case of deserialization of untrusted data in a supported feature called “AutoType.” It was patched by the project maintainers in version 1.2.83 released on May 23, 2022.

“This vulnerability affects all Java applications that rely on Fastjson versions 1.2.80 or earlier and that pass user-controlled data to either the JSON.parse or JSON.parseObject APIs without specifying a specific class to deserialize,” JFrog’s Uriya Yavnieli said in a write-up.

Fastjson is a Java library that’s used to convert Java Objects into their JSON representation and vice versa. AutoType, the function vulnerable to the flaw, is enabled by default and is designed to specify a custom type when parsing a JSON input that can then be deserialized into an object of the appropriate class.

“However, if the deserialized JSON is user-controlled, parsing it with AutoType enabled can lead to a deserialization security issue, since the attacker can instantiate any class that’s available on the Classpath, and feed its constructor with arbitrary arguments,” Yavnieli explained.

While the project owners previously introduced a safeMode that disables AutoType and started maintaining a blocklist of classes to defend against deserialization flaws, the newly discovered vulnerability gets around the latter of these restrictions to result in remote code execution.

Users of Fastjson are recommended to update to version 1.2.83 or enable safeMode, which turns off the function regardless of the allowlist and blocklist used, effectively closing variants of the deserialization attack.

“Although a public PoC exploit exists and the potential impact is very high (remote code execution) the conditions for the attack are not trivial (passing untrusted input to specific vulnerable APIs) and most importantly — target-specific research is required to find a suitable gadget class to exploit,” Yavnieli said.

Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.

Related News

LastPass Discloses Second Breach in Three Months

LastPass Discloses Second Breach in Three Months

An attacker who breached the software development environment at LastPass this August and stole source code and other proprietary data…
Artifact Poisoning in GitHub Actions Imports Malware via Software Pipelines

Artifact Poisoning in GitHub Actions Imports Malware via Software Pipelines

An attacker submitting changes to an open source repository on GitHub could cause downstream software projects that include the latest…
One Year After Log4Shell, Most Firms Are Still Exposed to Attack

One Year After Log4Shell, Most Firms Are Still Exposed to Attack

The Log4j vulnerability continues to present a major threat to enterprise organizations one year after the Apache Software Foundation disclosed…