CVE-2025-51742

Name of the Vulnerable Software and Affected Versions jishenghua JSH ERP version 2.3.1

Description An issue exists in the software where the /material/getMaterialEnableSerialNumberList API endpoint directly passes the search query parameter to the parseObject() function. This introduces a Fastjson deserialization flaw that could allow for Remote Code Execution (RCE) through the use of JDBC payloads.

Recommendations Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, restrict access to the /material/getMaterialEnableSerialNumberList endpoint. Avoid using the search parameter in the affected API endpoint until the issue is resolved.