PT-2026-1957 · Alibaba · Fastjson
Publicado
2026-01-09
·
Atualizado
2026-01-10
·
CVE-2025-70974
CVSS v3.1
10
Crítica
| Vetor | AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Alibaba Fastjson versions prior to 1.2.48
Description
The software contains a critical deserialization issue due to improper handling of the
autoType feature, which could allow for remote code execution. The issue arises when a JSON document includes an @type key with a Java class name as its value. This can lead to calls that enable remote code execution.Recommendations
Update to version 1.2.48 or later.
Correção
RCE
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Fastjson