Cybersecurity researchers discovered a recently patched, very serious vulnerability in the popular fastjson library that could potentially be exploited to run code remotely.
Tracked as CVE-2022-25845 (CFSS score: 8.1), the matter relates to a case of deserialization of untrusted data in a supported function called ‘AutoType’. It has been patched by the project managers in version 1.2.83 released on May 23, 2022.
“This vulnerability affects all Java applications that rely on Fastjson versions 1.2.80 or earlier and pass user-verified data to the JSON.parse or JSON.parseObject APIs without a specific class to deserialize,” JFrog’s Uriya Yavnieli said in a caption.
fastjson is a Java library used to convert Java objects into their JSON representation and vice versa. car typethe feature vulnerable to the error is enabled by default and is designed to specify a custom type when parsing a JSON input which can then be deserialized in an object of the correct class.
However, if the deserialized JSON is user-managed, parsing it with AutoType enabled could lead to a deserialization security issue because the attacker could instantiate any class available on the class padand feed the constructor with arbitrary arguments,” Yavnieli explained.
While the project owners previously introduced a safeMode that disabled AutoType and started maintaining a block list of classes to protect against deserialization errors, the newly discovered vulnerability bypasses the last of these limitations: result in remote code execution†
Fastjson users are advised to update to version 1.2.83 or enable safeMode, which disables the feature regardless of the allow and block list used, effectively shutting down variants of the deserialization attack.
“Although a public PoC operation exists and the potential impact is very large (external code execution). said Yavnieli.