CVE-2022-25845
- Source
- https://cve.org/CVERecord?id=CVE-2022-25845
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-25845.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2022-25845
- Aliases
- Related
- Published
- 2022-06-10T20:15:08.117Z
- Modified
- 2026-03-15T14:47:10.484225Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
The package com.alibaba:fastjson before 1.2.83 are vulnerable to Deserialization of Untrusted Data by bypassing the default autoType shutdown restrictions, which is possible under certain conditions. Exploiting this vulnerability allows attacking remote servers. Workaround: If upgrading is not possible, you can enable safeMode.
- References
-
- https://github.com/alibaba/fastjson/releases/tag/1.2.83
- https://github.com/alibaba/fastjson/wiki/security_update_20220523
- https://snyk.io/vuln/SNYK-JAVA-COMALIBABA-2859222
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://github.com/alibaba/fastjson/commit/35db4adad70c32089542f23c272def1ad920a60d
- https://github.com/alibaba/fastjson/commit/8f3410f81cbd437f7c459f8868445d50ad301f15
- https://www.ddosi.org/fastjson-poc/
Affected packages
Git / github.com/alibaba/fastjson
Database specific
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-25845.json"
unresolved_ranges
[
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "22.2.0"
}
]
}
]
vanir_signatures
[
{
"deprecated": false,
"signature_type": "Line",
"signature_version": "v1",
"digest": {
"line_hashes": [
"61024697520050202701621572067117824757",
"299278800782337073088942980025648933138"
],
"threshold": 0.9
},
"source": "https://github.com/alibaba/fastjson/commit/26f13f84fdd522de10678e43f55fde918ab7b347",
"id": "CVE-2022-25845-1b85b0de",
"target": {
"file": "src/main/java/com/alibaba/fastjson/JSON.java"
}
},
{
"deprecated": false,
"signature_type": "Function",
"signature_version": "v1",
"digest": {
"function_hash": "263709127359607957505066787466238883719",
"length": 496.0
},
"source": "https://github.com/alibaba/fastjson/commit/8f3410f81cbd437f7c459f8868445d50ad301f15",
"id": "CVE-2022-25845-2ececd91",
"target": {
"file": "src/test/java/com/alibaba/json/bvt/PointTest2.java",
"function": "test_point"
}
},
{
"deprecated": false,
"signature_type": "Line",
"signature_version": "v1",
"digest": {
"line_hashes": [
"42019374667715151548414386455597848271",
"261647332084669642067673889074193407907",
"140652181733654025014420524657994915642",
"281677047825629461810306487545906737319",
"42344365482721568115775040764119899550",
"254488526636465409923827814493820827872",
"49913526691816752756705378546368183645",
"132183748340968926055092878820199561410",
"156858443304170883432898439978142462304",
"88061640506583648181423432113786249999",
"312233732510431193073146015508573863848",
"135489702588547835646695090408342491553",
"128148263078011778332722549528505039295",
"194755019387191719519394707370691003228",
"37789225863914031121875611446504120094",
"53144270407581646639484539682170737568",
"238299898149172482960273210745948667370",
"61720797564892288091435181523276315527",
"220146179592950675355142283854598856213",
"86449347169640609840825447401542692571",
"161512536767571553818986129398903362583",
"185191352221934877561875350592375496405",
"246125325798476598517410149646837409229",
"239250099492412344066030563567670406529",
"274534710593711184383895400790624615892",
"247086880050703216695258984153205170608",
"291434916556184221354847747186853857873",
"114724774186460852979732007555435287230",
"110912965948561628047095055388931416228",
"86728366194803233130514475274098431063",
"92132590868500742699976083404475379917",
"110253794791082447594130223549992602360",
"150311191359098418195106862007470667357",
"68127192807873558300546325950907091928",
"257174281971252908410083431901768124606",
"156661812714532894813963664888815193134",
"22555810421602849679738864098775285326",
"28294348546258085355871189317662304685",
"198442294796523179829112633889137251492",
"239552984243007006362474039758678824054",
"137838775446629889243361775167923328005",
"164535402268719813254638406688155991116",
"24535438523346546395283953533138832349",
"305505177723542457417771748079052646423",
"22594433761210503568401996059479269374",
"147519113533513755760476834195306337670",
"109438782601948442361221323390461224721",
"108370928176284982373927645155840684438",
"172610104072177208318374416424507283744",
"173982959830285498680711886129017996223",
"257905104262350477702357137341305454418",
"314369326295053333171928106470504602310",
"14535924420209791383866767963920337849",
"81452139915633522815676464911882533244",
"140586724875599386380932660728555728047",
"325377413254581394098306480201053172646",
"17270619930087626191052675823308302589",
"125648168627692082683766204151380102727",
"179227163271768488295561188507685525347",
"164437503825906020546370955693321941374",
"115702398258520763902560805589070144931",
"26378778051551351512028745259876588752",
"153398886045706505036261299964847292672",
"298649941837505280518897706664212961315",
"282733859300870437927482783796393401331",
"145371376845343627788362004901246686103",
"135717222437622676537684030412648010311",
"301221374054761452611723826904016319759",
"9999553244590762179180539078362410675",
"137531530795646165778657260825453629174",
"173230956339928869567501147124263420942",
"203322116337848706140214141757205144408",
"170672131831968689939747766393964734741",
"66781267003266104305615643665111944685",
"191962870328976087574734121280085330359",
"11767683388579311843561642416002044371",
"11530123334182055188826253827836930710",
"179197548024987212124385182998738869663"
],
"threshold": 0.9
},
"source": "https://github.com/alibaba/fastjson/commit/35db4adad70c32089542f23c272def1ad920a60d",
"id": "CVE-2022-25845-3170e760",
"target": {
"file": "src/main/java/com/alibaba/fastjson/parser/ParserConfig.java"
}
},
{
"deprecated": false,
"signature_type": "Line",
"signature_version": "v1",
"digest": {
"line_hashes": [
"327656689625169491807666196008214900878",
"264184945322064187024201558092645048986",
"59217624312272304474253748749603366137",
"289059678654717703797742436058568310759",
"98780712871516867734269464847596618482",
"308930319451266143944166162017117647243",
"22030314772773981362218784200177426196",
"217152839289230024632560064188348811825"
],
"threshold": 0.9
},
"source": "https://github.com/alibaba/fastjson/commit/35db4adad70c32089542f23c272def1ad920a60d",
"id": "CVE-2022-25845-4fa7a2f7",
"target": {
"file": "src/test/java/com/alibaba/json/bvt/bug/Bug_for_Exception.java"
}
},
{
"deprecated": false,
"signature_type": "Function",
"signature_version": "v1",
"digest": {
"function_hash": "117009548729306227632091226377174928215",
"length": 5379.0
},
"source": "https://github.com/alibaba/fastjson/commit/35db4adad70c32089542f23c272def1ad920a60d",
"id": "CVE-2022-25845-636e551a",
"target": {
"file": "src/main/java/com/alibaba/fastjson/parser/ParserConfig.java",
"function": "checkAutoType"
}
},
{
"deprecated": false,
"signature_type": "Line",
"signature_version": "v1",
"digest": {
"line_hashes": [
"307354704135657781910514977929763440486",
"51975395138924324950625600576954410951",
"271777464816131209055282230261021351129",
"163560256713937870037448241114952760138",
"321890371100865715481734615895251214529",
"32002887047850819828764123837068232168"
],
"threshold": 0.9
},
"source": "https://github.com/alibaba/fastjson/commit/8f3410f81cbd437f7c459f8868445d50ad301f15",
"id": "CVE-2022-25845-7c98c97b",
"target": {
"file": "src/test/java/com/alibaba/json/bvt/PointTest2.java"
}
},
{
"deprecated": false,
"signature_type": "Function",
"signature_version": "v1",
"digest": {
"function_hash": "240822137874923677560138862440143889681",
"length": 5535.0
},
"source": "https://github.com/alibaba/fastjson/commit/8f3410f81cbd437f7c459f8868445d50ad301f15",
"id": "CVE-2022-25845-7db3b5da",
"target": {
"file": "src/main/java/com/alibaba/fastjson/parser/ParserConfig.java",
"function": "checkAutoType"
}
},
{
"deprecated": false,
"signature_type": "Function",
"signature_version": "v1",
"digest": {
"function_hash": "119569938027679302348743738115144129512",
"length": 192.0
},
"source": "https://github.com/alibaba/fastjson/commit/35db4adad70c32089542f23c272def1ad920a60d",
"id": "CVE-2022-25845-f23c538b",
"target": {
"file": "src/test/java/com/alibaba/json/bvt/bug/Bug_for_Exception.java",
"function": "test_exception"
}
},
{
"deprecated": false,
"signature_type": "Line",
"signature_version": "v1",
"digest": {
"line_hashes": [
"279778734672497193238483392055050191899",
"176996511607279796619779118929455736992",
"143375764946863244132789812537296429079",
"332283741993974309432023062522397235322",
"1404219238504265575386775521685336323",
"64147909650118884293301958160046511604",
"156443741528784070429587348614862912731",
"321573775157954884819616024811654744886",
"41687807269167290856048230454736580141",
"77443944254304244915609977293331977204",
"227646832213235208728887825164132491204",
"165451544584175473920852518315985419185",
"327879516107553956642337042507272937731",
"220878704264074449644632311576743539151",
"312976143975444827748660192399712212438",
"236927902947375671068455518211940942666",
"112308287001451165323250418869879215906",
"331012731926207686766361032026253096147",
"73354394869000373839609402166001131848",
"286947571974587761575420566316202379014",
"152842980476881067451835580118000805973",
"170237711873916851670225641610397462966",
"65551011051473516133109082560697503896",
"73464906247820271211093256947176607081",
"280965213196034190130078707779433260962",
"92605237934033397134200758538890074761",
"220425484089669960502368504554362835679",
"304019371657165107089907396817985021089",
"234680468285525480204738907549358021141",
"52346519340277732542771106080314324189",
"142858511027173382931353958931998785530",
"222240702314856684584219720350090802031",
"265186336501875720966579346187810217248",
"173359784663932906160157765280712106995",
"148872278025719481490964011182173609119",
"19946848050185292064876599352389135162",
"194156155515328128583105645637314645407",
"145646132064196529228513351444645336127",
"131152046750100782268555277243681664625",
"242463975394187713292691724850120889342",
"99905842070842878903728635460215013688",
"69005983699555322753933887942173575720",
"9035500376936235785451031699049233672",
"122839025243910746787723705216666029906",
"118330719011923063554625987125305929075",
"177672784376523105262724245088568012620",
"298828003270393252915010139867227603988",
"125120550463407977210735998126039288085",
"162701364327801195020672386984553604648",
"282380388052364403300794304914388949841",
"309132222340588787562983575071215696111",
"214147216529982431086427284925079100458",
"149157435788352619095008052707972142627",
"310079603925985928468146089564539447919",
"243573475032255967069499032852518502598",
"3039438494080165595874839029140119533",
"306063246689894686999641193916026272350",
"141446578878382471240051565574549004807",
"286671283454071798650410425990679849177",
"181937363773014718217553898456743032082",
"157940904984305019032103378772267962942",
"241794423187945957489195827829773341998",
"268328261443537268198378046091705124299",
"94794701757231058527710953124968410978",
"93398550580503117074915489480846677686",
"283178181648741273939866158339939319552",
"147982901454634131718271709916537721323",
"312977854351668003564573754833750055709",
"265145092637532095648636787669986619803",
"85280621004706290324405216247637014592",
"124197036501863160527560809627259823368",
"210310514629756595359360194006135523158",
"171014986829790189095151128345866541371",
"98777810048825312084614038983151745717",
"124544531205872865643681948191257861105",
"158624453673659348759181836749396635278",
"260169949095035694960328826249232612157",
"232490144393356466451285072973563870320",
"104056200255315715737901000971760818712",
"166418760901673773945905376808308904446",
"149871535428361881712101982840060542453",
"147990193887219824656987359976368359750",
"292762491769687484329536798530071511262",
"163153551127802833579610823192734646915",
"293197090398358854591966836468084550427",
"106483988475126787649711940140062140693",
"94016447520151250836624740158647988296",
"8469258116847821092884612156130069456",
"15555259411232089508961488092201276579",
"223085391844703455412380259751316743923"
],
"threshold": 0.9
},
"source": "https://github.com/alibaba/fastjson/commit/8f3410f81cbd437f7c459f8868445d50ad301f15",
"id": "CVE-2022-25845-fa68e58e",
"target": {
"file": "src/main/java/com/alibaba/fastjson/parser/ParserConfig.java"
}
}
]