PT-2026-1957 · Alibaba · Fastjson

Published

2026-01-09

Updated

2026-01-10

CVE-2025-70974

CVSS v3.1

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Alibaba Fastjson versions prior to 1.2.48

Description The software contains a critical deserialization issue due to improper handling of the autoType feature, which could allow for remote code execution. The issue arises when a JSON document includes an @type key with a Java class name as its value. This can lead to calls that enable remote code execution.

Recommendations Update to version 1.2.48 or later.

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-829

Related Identifiers

CVE-2025-70974

GHSA-JM7W-5684-PVH8

Affected Products

Fastjson

PT-2026-1957 · Alibaba · Fastjson

CVE-2025-70974

Weakness Enumeration

Related Identifiers

Affected Products

References · 15